{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rce/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-42796"}],"_cs_exploited":false,"_cs_products":["Arelle"],"_cs_severities":["critical"],"_cs_tags":["rce","arelle","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Arelle"],"content_html":"\u003cp\u003eArelle versions prior to 2.39.10 are susceptible to an unauthenticated remote code execution (RCE) vulnerability. The vulnerability resides in the \u003ccode\u003e/rest/configure\u003c/code\u003e REST endpoint, which improperly handles the \u003ccode\u003eplugins\u003c/code\u003e query parameter. This parameter is forwarded to the plugin manager without proper authentication or authorization checks. An attacker can exploit this flaw by providing a URL pointing to a malicious Python file via the \u003ccode\u003eplugins\u003c/code\u003e parameter. Upon receiving this request, the Arelle webserver downloads and executes the attacker-supplied Python code within the context of the Arelle process. This grants the attacker control over the Arelle server with the same privileges as the Arelle process. This vulnerability poses a significant risk, especially in environments where Arelle servers are exposed to the internet or untrusted networks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP GET request to the \u003ccode\u003e/rest/configure\u003c/code\u003e endpoint of the Arelle web server.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eplugins\u003c/code\u003e query parameter, which contains a URL pointing to a malicious Python file hosted on an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe Arelle web server receives the request and, without proper authentication or authorization, forwards the \u003ccode\u003eplugins\u003c/code\u003e parameter to the plugin manager.\u003c/li\u003e\n\u003cli\u003eThe plugin manager downloads the Python file from the attacker-supplied URL using standard HTTP(S) protocols.\u003c/li\u003e\n\u003cli\u003eThe Arelle process executes the downloaded Python code using the Python interpreter.\u003c/li\u003e\n\u003cli\u003eThe malicious Python code executes arbitrary commands on the Arelle server, potentially installing malware, creating reverse shells, or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the Arelle server and can perform further actions, such as accessing internal network resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to achieve remote code execution on the Arelle server. This could lead to complete compromise of the server, including sensitive data theft, malware deployment, and further lateral movement within the network. The potential impact includes data breaches, service disruption, and reputational damage. Given the severity and ease of exploitation, any Arelle instance running a version prior to 2.39.10 is at critical risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Arelle to version 2.39.10 or later to patch CVE-2026-42796.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Arelle Plugin Download via REST Endpoint\u0026rdquo; to identify exploitation attempts targeting the vulnerable \u003ccode\u003e/rest/configure\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u003ccode\u003e/rest/configure\u003c/code\u003e endpoint containing the \u003ccode\u003eplugins\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a compromised Arelle server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T18:16:32Z","date_published":"2026-05-04T18:16:32Z","id":"/briefs/2026-05-arelle-rce/","summary":"Arelle before 2.39.10 is vulnerable to unauthenticated remote code execution via the /rest/configure REST endpoint, allowing attackers to execute arbitrary Python code by supplying a malicious URL through the plugins parameter.","title":"Arelle Unauthenticated Remote Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-arelle-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openmrs-web (\u003c= 2.7.8)","openmrs-web (\u003e= 2.8.0, \u003c= 2.8.5)"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","zip-slip","rce","openmrs","web-application"],"_cs_type":"advisory","_cs_vendors":["OpenMRS"],"content_html":"\u003cp\u003eOpenMRS, an open-source enterprise electronic medical record system platform, is vulnerable to a path traversal (Zip Slip) vulnerability in its module upload functionality. Discovered in versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, the vulnerability resides in the \u003ccode\u003ePOST /openmrs/ws/rest/v1/module\u003c/code\u003e endpoint. An authenticated attacker with administrative privileges can exploit this flaw by uploading a specially crafted \u003ccode\u003e.omod\u003c/code\u003e archive containing malicious ZIP entries with directory traversal sequences. This can allow the attacker to write files outside of the intended module directory, potentially leading to arbitrary file write and remote code execution on the server. The vulnerability stems from incomplete path validation within the \u003ccode\u003eWebModuleUtil.startModule()\u003c/code\u003e function, an oversight compared to other extraction methods within the same codebase that are properly protected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the OpenMRS instance with valid admin credentials via Basic Auth.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003e.omod\u003c/code\u003e file containing a ZIP entry with a path traversal payload, such as \u003ccode\u003eweb/module/../../../../\u0026lt;target_filename\u0026gt;.jsp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/openmrs/ws/rest/v1/module\u003c/code\u003e endpoint, uploading the malicious \u003ccode\u003e.omod\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe server receives the request and parses the uploaded \u003ccode\u003e.omod\u003c/code\u003e file, treating it as a ZIP archive.\u003c/li\u003e\n\u003cli\u003eDuring module loading via \u003ccode\u003eWebModuleUtil.startModule()\u003c/code\u003e, the server extracts entries under the \u003ccode\u003eweb/module/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eDue to an incomplete check, the entry \u003ccode\u003eweb/module/../../../../\u0026lt;target_filename\u0026gt;.jsp\u003c/code\u003e passes the initial validation.\u003c/li\u003e\n\u003cli\u003eThe server attempts to write the extracted file to a path constructed by concatenating the traversed path, resulting in writing the file outside the intended \u003ccode\u003eWEB-INF/view/module/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eIf the written file is a JSP script, accessing it via a browser triggers server-side execution, achieving Remote Code Execution (RCE).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write arbitrary files within the web application root directory of the OpenMRS instance. This can lead to remote code execution, allowing the attacker to gain complete control of the affected server. Given OpenMRS\u0026rsquo;s use in healthcare environments, a successful attack could compromise sensitive patient data, disrupt medical operations, and damage the reputation of the affected organization. The number of potentially affected installations is unknown, but the vulnerability impacts a widely used version of the platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of OpenMRS that includes the fix for CVE-2026-40076 to address the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect OpenMRS Malicious Module Upload\u003c/code\u003e to identify exploitation attempts based on HTTP requests to the \u003ccode\u003e/openmrs/ws/rest/v1/module\u003c/code\u003e endpoint with suspicious file extensions in the query parameters.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to capture HTTP request data and facilitate detection and investigation efforts.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events within the web application root directory for suspicious JSP files. Use the Sigma rule \u003ccode\u003eDetect JSP File Creation in Web Application Root\u003c/code\u003e as a starting point.\u003c/li\u003e\n\u003cli\u003eEnforce the \u003ccode\u003emodule.allow_web_admin\u003c/code\u003e restriction consistently across all module upload entry points, including the REST API to prevent bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T17:39:31Z","date_published":"2026-05-04T17:39:31Z","id":"/briefs/2024-01-openmrs-zip-slip/","summary":"OpenMRS versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, are vulnerable to a path traversal (Zip Slip) attack via the `POST /openmrs/ws/rest/v1/module` endpoint that allows authenticated attackers to achieve arbitrary file write and remote code execution.","title":"OpenMRS Module Upload Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-openmrs-zip-slip/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-29514"}],"_cs_exploited":false,"_cs_products":["NetBox (4.3.5 - 4.5.4)"],"_cs_severities":["critical"],"_cs_tags":["rce","template-injection","netbox","cve-2026-29514"],"_cs_type":"advisory","_cs_vendors":["NetBox"],"content_html":"\u003cp\u003eNetBox, a widely-used infrastructure resource modeling application, is vulnerable to remote code execution (RCE) in versions 4.3.5 through 4.5.4. This vulnerability, identified as CVE-2026-29514, resides in the \u003ccode\u003eRenderTemplateMixin.get_environment_params()\u003c/code\u003e method. An authenticated attacker with \u003ccode\u003eexporttemplate\u003c/code\u003e or \u003ccode\u003econfigtemplate\u003c/code\u003e permissions can exploit this flaw by injecting malicious Python callables into the \u003ccode\u003eenvironment_params\u003c/code\u003e field. Successful exploitation allows the attacker to bypass the Jinja2 SandboxedEnvironment, achieving arbitrary code execution as the NetBox service user. This RCE can lead to complete system compromise, data exfiltration, or denial of service. Defenders should prioritize patching and implement the detection measures outlined below.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user logs into the NetBox web application with \u003ccode\u003eexporttemplate\u003c/code\u003e or \u003ccode\u003econfigtemplate\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to modify or create an export/config template.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker injects a Python callable, such as \u003ccode\u003esubprocess.getoutput\u003c/code\u003e, into the \u003ccode\u003eenvironment_params\u003c/code\u003e field. The \u003ccode\u003efinalize\u003c/code\u003e parameter of the Jinja2 environment is set to this callable.\u003c/li\u003e\n\u003cli\u003eNetBox processes the request, and the Jinja2 environment is initialized with the attacker-controlled \u003ccode\u003efinalize\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eWhen the template is rendered, every expression outside the sandbox\u0026rsquo;s call interception mechanism is processed.\u003c/li\u003e\n\u003cli\u003eThe injected callable (\u003ccode\u003esubprocess.getoutput\u003c/code\u003e) is invoked on the rendered expression.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esubprocess.getoutput\u003c/code\u003e callable executes arbitrary shell commands as the NetBox service user.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution, potentially leading to full system compromise or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-29514 allows an authenticated attacker to execute arbitrary code on the NetBox server. The impact includes potential full system compromise, data exfiltration, and denial of service. Given that NetBox is often used to manage critical infrastructure information, a successful attack could have significant consequences, potentially affecting numerous organizations that rely on accurate network data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NetBox to a patched version (4.5.5 or later) to remediate CVE-2026-29514.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect attempts to inject malicious callables into \u003ccode\u003eenvironment_params\u003c/code\u003e via webserver logs.\u003c/li\u003e\n\u003cli\u003eReview and restrict \u003ccode\u003eexporttemplate\u003c/code\u003e and \u003ccode\u003econfigtemplate\u003c/code\u003e permissions to only those users who require them.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T17:16:22Z","date_published":"2026-05-04T17:16:22Z","id":"/briefs/2026-05-netbox-rce/","summary":"NetBox versions 4.3.5 through 4.5.4 are vulnerable to remote code execution (RCE) via template injection, where authenticated users with specific permissions can inject malicious Python callables into template parameters, bypassing Jinja2 sandboxing to execute arbitrary code.","title":"NetBox RCE via Jinja2 Template Injection (CVE-2026-29514)","url":"https://feed.craftedsignal.io/briefs/2026-05-netbox-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OPNsense"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","rce","firewall"],"_cs_type":"advisory","_cs_vendors":["OPNsense"],"content_html":"\u003cp\u003eMultiple unspecified vulnerabilities in OPNsense allow a remote, anonymous attacker to bypass security restrictions and achieve arbitrary code execution. The vulnerabilities stem from inadequate input validation and insufficient privilege checks within the OPNsense firewall software. While the specific vulnerable components are not detailed in the advisory, successful exploitation would grant an attacker complete control over the affected OPNsense instance. This can lead to a complete breach of the network perimeter, allowing the attacker to pivot to internal systems, intercept network traffic, or disrupt network services. Given the critical role of OPNsense as a network gateway, organizations using this software should prioritize detection and mitigation efforts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable OPNsense instance accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting a specific, undisclosed vulnerable endpoint. This request exploits a flaw in input validation or authentication.\u003c/li\u003e\n\u003cli\u003eThe vulnerable OPNsense component processes the malicious request without proper sanitization or authorization checks.\u003c/li\u003e\n\u003cli\u003eThe injected payload bypasses security restrictions, potentially exploiting a command injection or similar vulnerability.\u003c/li\u003e\n\u003cli\u003eThe injected payload executes arbitrary code on the OPNsense system, gaining initial access.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial foothold to escalate privileges within the OPNsense system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence, ensuring continued access even after system reboots or security updates.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other systems within the network, using the compromised OPNsense instance as a launchpad for further attacks, or exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows a remote attacker to execute arbitrary code on the OPNsense firewall. This gives the attacker full control of the firewall, allowing them to intercept network traffic, modify firewall rules, and potentially pivot to internal networks. The impact is a complete compromise of the network perimeter, potentially affecting all systems and data behind the firewall. The number of affected organizations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor OPNsense webserver logs for suspicious POST requests to unusual or sensitive endpoints, using a webserver category Sigma rule (see example below).\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection systems (NIDS) rules to detect exploitation attempts against OPNsense services.\u003c/li\u003e\n\u003cli\u003eWhile specific CVEs are unavailable, stay informed about OPNsense security updates and apply them immediately upon release.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T11:09:07Z","date_published":"2026-05-04T11:09:07Z","id":"/briefs/2026-05-opnsense-rce/","summary":"A remote, anonymous attacker can exploit multiple vulnerabilities in OPNsense to bypass security measures and execute arbitrary code, potentially leading to complete system compromise.","title":"OPNsense Multiple Vulnerabilities Leading to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-opnsense-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-7320"},{"cvss":9.6,"id":"CVE-2026-7321"},{"cvss":7.3,"id":"CVE-2026-7322"},{"cvss":7.3,"id":"CVE-2026-7323"},{"cvss":7.3,"id":"CVE-2026-7324"}],"_cs_exploited":false,"_cs_products":["Thunderbird ESR","Thunderbird"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","rce","databreach","securitybypass"],"_cs_type":"advisory","_cs_vendors":["Mozilla"],"content_html":"\u003cp\u003eOn May 4, 2026, CERT-FR published an advisory regarding multiple vulnerabilities affecting Mozilla Thunderbird. Specifically, Thunderbird versions prior to 150.0.1 and Thunderbird ESR versions prior to 140.10.1 are vulnerable. Successful exploitation of these vulnerabilities could allow an attacker to achieve remote code execution, compromise the confidentiality of data, and bypass security policies. The advisory highlights the urgency for users and organizations utilizing affected versions to apply the necessary patches to mitigate these risks. These vulnerabilities underscore the importance of maintaining up-to-date software versions to defend against potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target using a vulnerable version of Mozilla Thunderbird (ESR \u0026lt; 140.10.1 or \u0026lt; 150.0.1).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious email or leverages a compromised website to deliver a specially crafted exploit.\u003c/li\u003e\n\u003cli\u003eThe user opens the malicious email or visits the compromised website within Thunderbird.\u003c/li\u003e\n\u003cli\u003eThe exploit triggers a vulnerability in Thunderbird, such as CVE-2026-7320 (or another from the listed CVEs), leading to code execution.\u003c/li\u003e\n\u003cli\u003eAttacker gains initial access to the user\u0026rsquo;s system with the privileges of the Thunderbird process.\u003c/li\u003e\n\u003cli\u003eAttacker escalates privileges, if necessary, to gain a higher level of control over the system.\u003c/li\u003e\n\u003cli\u003eAttacker executes arbitrary commands to install malware, exfiltrate sensitive data, or perform other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft, system compromise, or establishing a persistent foothold.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could have severe consequences. An attacker could remotely execute arbitrary code, potentially leading to full system compromise. Sensitive data stored within Thunderbird, such as emails, contacts, and passwords, could be exposed. The security policy bypass could allow attackers to perform actions that are normally restricted, further compromising the system\u0026rsquo;s security. This can lead to significant financial losses, reputational damage, and legal liabilities for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Mozilla Thunderbird to version 150.0.1 or later, or Thunderbird ESR to version 140.10.1 or later, to patch the vulnerabilities described in Mozilla security advisories mfsa2026-38 and mfsa2026-39.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Thunderbird Spawning Suspicious Processes\u0026rdquo; to identify potential exploitation attempts via unusual child processes.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for Thunderbird spawning command interpreters or script engines using the Sigma rule \u0026ldquo;Detect Thunderbird Running External Commands\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eReview and harden email security policies to prevent the delivery of malicious emails that could exploit these vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T00:00:00Z","date_published":"2026-05-04T00:00:00Z","id":"/briefs/2026-05-thunderbird-vulns/","summary":"Multiple vulnerabilities in Mozilla Thunderbird prior to versions 150.0.1 and Thunderbird ESR prior to 140.10.1 could allow a remote attacker to achieve arbitrary code execution, data confidentiality breach, and security policy bypass.","title":"Multiple Vulnerabilities in Mozilla Thunderbird Allow for Remote Code Execution and Data Breach","url":"https://feed.craftedsignal.io/briefs/2026-05-thunderbird-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-2052"}],"_cs_exploited":false,"_cs_products":["The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks \u0026 Classic Widgets plugin \u003c= 4.2.2"],"_cs_severities":["critical"],"_cs_tags":["wordpress","rce","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Widget Options – Advanced Conditional Visibility for Gutenberg Blocks \u0026amp; Classic Widgets plugin, versions 4.2.2 and earlier, contains a Remote Code Execution (RCE) vulnerability (CVE-2026-2052). This flaw stems from the plugin\u0026rsquo;s Display Logic feature, which utilizes the \u003ccode\u003eeval()\u003c/code\u003e function to process user-supplied expressions. The plugin\u0026rsquo;s implemented blocklist/allowlist is insufficient, making it bypassable through techniques involving \u003ccode\u003earray_map\u003c/code\u003e with string concatenation. Furthermore, the plugin lacks proper authorization enforcement on the \u003ccode\u003eextended_widget_opts_block\u003c/code\u003e attribute. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject and execute arbitrary code on the underlying server. The vendor partially addressed this vulnerability in version 4.2.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress application as a Contributor or higher-level user.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Widget Options settings within the WordPress admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Display Logic expression designed to execute arbitrary PHP code. This involves bypassing the blocklist/allowlist using techniques such as \u003ccode\u003earray_map\u003c/code\u003e and string concatenation.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious Display Logic expression into the \u003ccode\u003eextended_widget_opts_block\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eThe WordPress application processes the widget options, including the malicious Display Logic expression. Due to the lack of proper sanitization and authorization, the \u003ccode\u003eeval()\u003c/code\u003e function executes the attacker-supplied PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with the permissions of the web server user, potentially allowing the attacker to read or write files, execute system commands, or compromise the entire server.\u003c/li\u003e\n\u003cli\u003eThe attacker may establish persistence by writing a backdoor to a file on the server or by creating a new administrator account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-2052 allows an attacker to execute arbitrary code on the WordPress server. This can lead to complete compromise of the website, including data theft, defacement, and the installation of malware. Since the vulnerability requires Contributor access or higher, the impact is significant if such accounts are compromised through other means (e.g., phishing, credential stuffing). The lack of proper input sanitization and authorization makes this a critical vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u0026ldquo;The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks \u0026amp; Classic Widgets\u0026rdquo; plugin to the latest version to patch CVE-2026-2052.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WordPress Widget Options RCE Attempt\u0026rdquo; to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions to minimize the number of users with Contributor or higher-level access.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity, particularly requests to \u003ccode\u003e/wp-admin/options.php\u003c/code\u003e related to widget options.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T08:16:27Z","date_published":"2026-05-02T08:16:27Z","id":"/briefs/2026-05-wordpress-widget-rce/","summary":"The Widget Options plugin for WordPress is vulnerable to Remote Code Execution (CVE-2026-2052) due to insufficient input sanitization in the Display Logic feature, allowing authenticated attackers with Contributor-level access and above to execute arbitrary code on the server.","title":"WordPress Widget Options Plugin Remote Code Execution Vulnerability (CVE-2026-2052)","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-widget-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-4882"}],"_cs_exploited":false,"_cs_products":["User Registration Advanced Fields plugin \u003c= 1.6.20"],"_cs_severities":["critical"],"_cs_tags":["wordpress","file-upload","rce"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe User Registration Advanced Fields plugin for WordPress, specifically versions up to and including 1.6.20, contains an arbitrary file upload vulnerability (CVE-2026-4882) due to insufficient file type validation in the \u003ccode\u003eURAF_AJAX::method_upload\u003c/code\u003e function. This flaw enables unauthenticated attackers to upload any file type to the affected server, which can lead to remote code execution if the uploaded file is strategically placed and executed. The vulnerability is exploitable only if a \u0026ldquo;Profile Picture\u0026rdquo; field is active within the registration form. This poses a significant threat to websites using the plugin, as attackers can potentially gain full control of the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable User Registration Advanced Fields plugin (\u0026lt;= 1.6.20) with the \u0026ldquo;Profile Picture\u0026rdquo; field enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the \u003ccode\u003eURAF_AJAX::method_upload\u003c/code\u003e function, bypassing any client-side file type checks.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a web shell (e.g., a PHP file) disguised as a legitimate file type or without any extension to evade basic detection mechanisms.\u003c/li\u003e\n\u003cli\u003eThe vulnerable plugin saves the file to the WordPress uploads directory without proper validation.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the exact file path of the uploaded web shell on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends another HTTP request directly to the uploaded web shell.\u003c/li\u003e\n\u003cli\u003eThe web shell executes on the server, providing the attacker with remote code execution capabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker can then leverage the web shell to perform various malicious activities, such as installing malware, defacing the website, or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-4882) allows unauthenticated attackers to upload arbitrary files to a vulnerable WordPress website, potentially leading to remote code execution. This can result in complete compromise of the affected website, including data theft, website defacement, and malware infections. The CVSS v3.1 base score for this vulnerability is 9.8, indicating a critical severity level. The impact includes potential damage to reputation, financial losses, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the User Registration Advanced Fields plugin to the latest version (greater than 1.6.20) to patch CVE-2026-4882.\u003c/li\u003e\n\u003cli\u003eImplement file type validation on the server-side, restricting allowed file extensions for profile picture uploads.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file upload activity targeting the \u003ccode\u003eURAF_AJAX::method_upload\u003c/code\u003e function to detect potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect Suspicious WordPress File Uploads\u003c/code\u003e to your SIEM.\u003c/li\u003e\n\u003cli\u003eImplement strict file permission policies to prevent uploaded files from being executed as scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T05:16:00Z","date_published":"2026-05-02T05:16:00Z","id":"/briefs/2026-05-wordpress-upload/","summary":"The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, allowing unauthenticated attackers to upload arbitrary files leading to potential remote code execution.","title":"WordPress User Registration Advanced Fields Plugin Arbitrary File Upload Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7551"}],"_cs_exploited":false,"_cs_products":["OpenHarness"],"_cs_severities":["critical"],"_cs_tags":["rce","vulnerability","injection"],"_cs_type":"advisory","_cs_vendors":["HKUDS"],"content_html":"\u003cp\u003eHKUDS OpenHarness is vulnerable to a remote code execution flaw (CVE-2026-7551) affecting the /bridge slash command. This vulnerability permits remote attackers, who are authorized by the OpenHarness configuration, to execute arbitrary operating system commands on the host system. The attack leverages the /bridge spawn command, which, when supplied with attacker-controlled command text, is processed by the bridge session manager and executed through a shared shell subprocess. This execution context grants attackers the ability to spawn shell sessions with the privileges of the OpenHarness process user, potentially exposing local files, credentials, workspace state, and repository contents. Successful exploitation results in a complete compromise of the OpenHarness instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an accessible OpenHarness instance with the vulnerable /bridge slash command enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates or gains access to a communication channel (e.g., chat application) accepted by OpenHarness.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious /bridge spawn command containing OS commands to be executed.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted /bridge spawn command to the OpenHarness instance via the configured communication channel.\u003c/li\u003e\n\u003cli\u003eOpenHarness processes the /bridge command and forwards the attacker-controlled command text to the bridge session manager.\u003c/li\u003e\n\u003cli\u003eThe bridge session manager executes the injected OS commands through a shared shell subprocess.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a shell session with the privileges of the OpenHarness process user.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses local files, credentials, workspace state, and repository contents, potentially exfiltrating sensitive data or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7551 allows attackers to execute arbitrary operating system commands on the OpenHarness server. This grants them the ability to spawn shell sessions as the OpenHarness process user, which can lead to the exposure of sensitive information such as local files, credentials, workspace state, and repository contents. The impact of this vulnerability is significant, potentially allowing for complete system compromise and data exfiltration, but the exact number of victims is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates provided by HKUDS to address CVE-2026-7551 on all OpenHarness instances.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the /bridge slash command to prevent the injection of malicious OS commands.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious shell executions originating from the OpenHarness process using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eRestrict network access to the OpenHarness server to only authorized users and systems.\u003c/li\u003e\n\u003cli\u003eReview OpenHarness configurations to ensure that only trusted communication channels are accepted.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T22:17:40Z","date_published":"2026-04-30T22:17:40Z","id":"/briefs/2026-05-openharness-rce/","summary":"HKUDS OpenHarness contains a remote code execution vulnerability (CVE-2026-7551) in the /bridge slash command, allowing remote attackers to execute arbitrary operating system commands by injecting malicious commands via the /bridge spawn command, leading to unauthorized shell access and data exposure.","title":"HKUDS OpenHarness Remote Code Execution via /bridge Slash Command (CVE-2026-7551)","url":"https://feed.craftedsignal.io/briefs/2026-05-openharness-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-71284"}],"_cs_exploited":false,"_cs_products":["SMG Gateway Management Software"],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","network"],"_cs_type":"advisory","_cs_vendors":["Synway"],"content_html":"\u003cp\u003eSynway SMG Gateway Management Software is susceptible to an OS command injection vulnerability (CVE-2025-71284) within the RADIUS configuration endpoint. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted POST request to \u003ccode\u003e/en/9-2radius.php\u003c/code\u003e. The vulnerability lies in the improper sanitization of the \u003ccode\u003eradius_address\u003c/code\u003e POST parameter, which is directly incorporated into a \u003ccode\u003esed\u003c/code\u003e command. The Shadowserver Foundation observed the first exploitation evidence on 2025-07-11 (UTC). Successful exploitation allows the attacker to execute arbitrary shell commands on the affected system, potentially compromising the entire gateway. This vulnerability poses a significant risk to organizations using the Synway SMG Gateway, as it enables unauthenticated remote code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Synway SMG Gateway Management Software instance exposed to the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003e/en/9-2radius.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes parameters such as \u003ccode\u003eradius_address\u003c/code\u003e, \u003ccode\u003eradius_address2\u003c/code\u003e, \u003ccode\u003eshared_secret2\u003c/code\u003e, \u003ccode\u003esource_ip\u003c/code\u003e, \u003ccode\u003etimeout\u003c/code\u003e, or \u003ccode\u003eretry\u003c/code\u003e along with \u003ccode\u003esave=1\u003c/code\u003e and \u003ccode\u003eenable_radius=1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eradius_address\u003c/code\u003e parameter contains an OS command injection payload.\u003c/li\u003e\n\u003cli\u003eThe application improperly sanitizes the \u003ccode\u003eradius_address\u003c/code\u003e parameter and incorporates it into a \u003ccode\u003esed\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe injected command is executed by the operating system, granting the attacker arbitrary code execution privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a reverse shell to maintain persistence and expand their foothold.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots within the network, gaining access to sensitive data or systems, and potentially establishing a long-term presence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary commands on the Synway SMG Gateway. This could lead to complete system compromise, data theft, disruption of services, and further propagation of attacks within the network. Given the high CVSS score (9.8), this vulnerability represents a critical threat. The number of affected systems and organizations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Synway SMG Gateway Radius Command Injection Attempt\u0026rdquo; to your SIEM to detect exploitation attempts based on suspicious POST requests to the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eradius_address\u003c/code\u003e, \u003ccode\u003eradius_address2\u003c/code\u003e, \u003ccode\u003eshared_secret2\u003c/code\u003e, \u003ccode\u003esource_ip\u003c/code\u003e, \u003ccode\u003etimeout\u003c/code\u003e, and \u003ccode\u003eretry\u003c/code\u003e parameters in the RADIUS configuration endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/en/9-2radius.php\u003c/code\u003e containing suspicious characters or command sequences indicative of command injection attacks to activate the \u0026ldquo;Synway SMG Gateway Radius Command Injection Attempt\u0026rdquo; rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T17:16:25Z","date_published":"2026-04-30T17:16:25Z","id":"/briefs/2026-05-synway-smg-rce/","summary":"Synway SMG Gateway Management Management Software is vulnerable to unauthenticated OS command injection via crafted POST requests to the RADIUS configuration endpoint, leading to remote code execution.","title":"Synway SMG Gateway Management Software Unauthenticated OS Command Injection","url":"https://feed.craftedsignal.io/briefs/2026-05-synway-smg-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-4150"},{"cvss":7.8,"id":"CVE-2026-4151"},{"cvss":7.8,"id":"CVE-2026-4152"},{"cvss":7.8,"id":"CVE-2026-4153"},{"cvss":7.8,"id":"CVE-2026-4154"}],"_cs_exploited":false,"_cs_products":["GIMP"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","rce","gimp"],"_cs_type":"advisory","_cs_vendors":["GIMP"],"content_html":"\u003cp\u003eMultiple vulnerabilities in GIMP allow a remote, anonymous attacker to execute arbitrary code on a vulnerable system. The specific vulnerabilities are not detailed in the advisory, but the potential impact is significant, as successful exploitation could allow an attacker to gain complete control over the affected system. This threat is relevant to organizations and individuals using GIMP in their environments. Defenders should focus on detecting anomalous process execution originating from GIMP or unexpected network connections initiated by the application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious image or file designed to exploit a vulnerability in GIMP.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious file to a target user, potentially through social engineering or a compromised website.\u003c/li\u003e\n\u003cli\u003eThe target user opens the malicious file with GIMP.\u003c/li\u003e\n\u003cli\u003eGIMP parses the malicious file, triggering the unspecified vulnerability.\u003c/li\u003e\n\u003cli\u003eThe vulnerability allows the attacker to execute arbitrary code within the context of the GIMP process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial code execution to escalate privileges or establish persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker may then install malware, exfiltrate sensitive data, or perform other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft, system compromise, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to arbitrary code execution, potentially granting an attacker complete control over the affected system. This could result in data theft, malware installation, system compromise, or disruption of services. The advisory does not specify the number of potential victims, but given the popularity of GIMP, the impact could be widespread.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for unexpected child processes spawned by GIMP to detect potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eGIMP Suspicious Child Processes\u003c/code\u003e to your SIEM.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from GIMP for connections to unusual or malicious domains. Deploy the Sigma rule \u003ccode\u003eGIMP Suspicious Network Connections\u003c/code\u003e to your SIEM.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T09:18:57Z","date_published":"2026-04-30T09:18:57Z","id":"/briefs/2026-05-gimp-rce/","summary":"A remote, anonymous attacker can exploit multiple unspecified vulnerabilities in GIMP to achieve arbitrary code execution on a vulnerable system.","title":"GIMP Multiple Vulnerabilities Allow Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-gimp-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Wireshark 4.4.x","Wireshark 4.6.x"],"_cs_severities":["high"],"_cs_tags":["wireshark","vulnerability","rce","dos"],"_cs_type":"advisory","_cs_vendors":["Wireshark"],"content_html":"\u003cp\u003eOn April 30, 2026, CERT-FR published an advisory regarding multiple vulnerabilities discovered in Wireshark, a widely used network protocol analyzer. The vulnerabilities affect Wireshark versions 4.4.x prior to 4.4.15 and 4.6.x prior to 4.6.5. Successful exploitation of these vulnerabilities could lead to remote code execution (RCE), denial-of-service (DoS) conditions, and unauthorized disclosure of sensitive data. Given Wireshark\u0026rsquo;s role in network analysis, these vulnerabilities pose a significant risk to organizations using the tool for monitoring and troubleshooting network traffic. These vulnerabilities highlight the importance of keeping software up to date, especially software that handles sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious network packet or capture file.\u003c/li\u003e\n\u003cli\u003eThe victim opens the malicious packet or capture file in a vulnerable version of Wireshark (4.4.x before 4.4.15 or 4.6.x before 4.6.5).\u003c/li\u003e\n\u003cli\u003eWireshark parses the packet or file using a vulnerable dissector.\u003c/li\u003e\n\u003cli\u003eThe vulnerable dissector fails to properly handle the malformed data, leading to a buffer overflow or other memory corruption issue.\u003c/li\u003e\n\u003cli\u003eThe memory corruption allows the attacker to overwrite critical program data or inject malicious code.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed within the context of the Wireshark process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the Wireshark process.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions, such as exfiltrating sensitive data or causing a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can have severe consequences, including remote code execution, potentially allowing an attacker to gain complete control over the affected system. A denial-of-service condition can disrupt network analysis activities and hinder incident response efforts. Data confidentiality can be compromised if an attacker gains access to sensitive network traffic data captured by Wireshark. The impact is significant for network administrators and security professionals who rely on Wireshark for network monitoring and analysis.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Wireshark to version 4.4.15 or 4.6.5 or later to patch the vulnerabilities (refer to the Wireshark security advisories wnpa-sec-2026-08 through wnpa-sec-2026-50).\u003c/li\u003e\n\u003cli\u003eImplement network access controls to limit exposure of Wireshark instances to untrusted network traffic, reducing the likelihood of processing malicious packets.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Wireshark opening network capture files from untrusted locations\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor systems running vulnerable versions of Wireshark for suspicious activity, such as unexpected process crashes or unauthorized network connections.\u003c/li\u003e\n\u003cli\u003eConsider using alternative packet analysis tools or sandboxing Wireshark for analyzing potentially malicious network traffic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T00:00:00Z","date_published":"2026-04-30T00:00:00Z","id":"/briefs/2026-04-wireshark-vulns/","summary":"Multiple vulnerabilities in Wireshark versions 4.4.x before 4.4.15 and 4.6.x before 4.6.5 could allow remote attackers to execute arbitrary code, cause a denial of service, or compromise data confidentiality.","title":"Multiple Vulnerabilities in Wireshark Lead to Remote Code Execution and Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-04-wireshark-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["critical"],"_cs_tags":["rce","prototype pollution","n8n"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-42232, exists within the n8n workflow automation tool. This flaw allows an authenticated user, who possesses permissions to create or modify workflows, to achieve remote code execution (RCE). The attack vector involves exploiting global prototype pollution through the XML Node. Versions affected include those prior to 1.123.32, versions 2.17.0 up to but not including 2.17.4, and versions 2.18.0 up to but not including 2.18.1. Defenders should prioritize patching n8n instances due to the high potential for complete system compromise if exploited.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to an n8n instance with workflow creation/modification privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious workflow that leverages the XML Node to inject a payload designed to trigger prototype pollution.\u003c/li\u003e\n\u003cli\u003eThe crafted XML node manipulates global object prototypes within the n8n application.\u003c/li\u003e\n\u003cli\u003eThe attacker introduces a property into a global object prototype that can be exploited by another node.\u003c/li\u003e\n\u003cli\u003eThe attacker adds a secondary node (e.g., Function node) that leverages the polluted prototype property.\u003c/li\u003e\n\u003cli\u003eThe secondary node\u0026rsquo;s execution triggers the polluted prototype, leading to arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the n8n server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control of the n8n server, potentially leading to data exfiltration, lateral movement, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the n8n server. This can lead to full system compromise, including data exfiltration, credential theft, and lateral movement within the network. Given the nature of n8n as an automation platform, successful attacks can severely impact connected systems and services. This vulnerability affects n8n users who have not upgraded to patched versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 1.123.32, 2.17.4, 2.18.1, or later to remediate CVE-2026-42232.\u003c/li\u003e\n\u003cli\u003eAs a temporary mitigation, limit workflow creation and editing permissions to only fully trusted users as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eAs a temporary mitigation, disable the XML node by adding \u003ccode\u003en8n-nodes-base.xml\u003c/code\u003e to the \u003ccode\u003eNODES_EXCLUDE\u003c/code\u003e environment variable as suggested in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T21:25:53Z","date_published":"2026-04-29T21:25:53Z","id":"/briefs/2024-01-n8n-rce/","summary":"A vulnerability in n8n allows authenticated users with workflow creation permissions to achieve remote code execution (RCE) through global prototype pollution via the XML Node in versions prior to 1.123.32, versions 2.17.0 to 2.17.4, and versions 2.18.0 to 2.18.1.","title":"n8n XML Node Prototype Pollution Leading to RCE","url":"https://feed.craftedsignal.io/briefs/2024-01-n8n-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["critical"],"_cs_tags":["prototype-pollution","rce","n8n"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eA critical vulnerability exists within the n8n workflow automation platform, specifically affecting the parsing of XML request bodies in webhook handlers. This flaw stems from the use of the \u003ccode\u003exml2js\u003c/code\u003e library, which is susceptible to prototype pollution attacks. An authenticated user possessing the capability to create or modify workflows can leverage this vulnerability by sending a specially crafted XML payload. Successful exploitation results in the pollution of the JavaScript object prototype. Attackers can chain this pollution with the Git node\u0026rsquo;s SSH operations to achieve arbitrary remote code execution (RCE) on the underlying n8n host. The vulnerability affects n8n versions prior to 1.123.32, versions 2.17.0 to 2.17.3, and versions 2.18.0 to 2.18.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the n8n instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious XML payload designed to exploit the prototype pollution vulnerability in the \u003ccode\u003exml2js\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a workflow containing a webhook node configured to receive XML data.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted XML payload to the webhook endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003exml2js\u003c/code\u003e library parses the malicious XML, inadvertently polluting the JavaScript object prototype with attacker-controlled properties.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a Git node in the workflow.\u003c/li\u003e\n\u003cli\u003eThe polluted prototype modifies the behavior of the Git node\u0026rsquo;s SSH operations.\u003c/li\u003e\n\u003cli\u003eWhen the workflow executes, the Git node\u0026rsquo;s SSH operation is hijacked due to the prototype pollution, leading to arbitrary code execution on the n8n host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows a malicious actor to execute arbitrary code on the n8n server. This grants them complete control over the n8n instance and potentially the underlying infrastructure. The vulnerability impacts any n8n instance accessible to authenticated users who can create or modify workflows. The number of affected installations is unknown, but the potential impact is high due to the sensitive nature of workflows often managed by n8n, which can include access to other systems and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 1.123.32, 2.17.4, 2.18.1, or later to patch the vulnerability as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect n8n Prototype Pollution via Crafted XML Payload\u0026rdquo; to detect malicious XML payloads targeting the vulnerability. Enable webserver logs to activate this rule.\u003c/li\u003e\n\u003cli\u003eLimit workflow creation and editing permissions to trusted users to mitigate the risk of exploitation, as described in the workaround.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T21:25:02Z","date_published":"2026-04-29T21:25:02Z","id":"/briefs/2026-04-n8n-rce/","summary":"A prototype pollution vulnerability in n8n's XML webhook parser, exploitable by authenticated users, can lead to remote code execution on the n8n host.","title":"n8n Prototype Pollution in XML Webhook Body Parser Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-04-n8n-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["fabric-sdk-java"],"_cs_severities":["critical"],"_cs_tags":["deserialization","rce","java"],"_cs_type":"advisory","_cs_vendors":["Hyperledger"],"content_html":"\u003cp\u003eThe \u003ccode\u003efabric-sdk-java\u003c/code\u003e client SDK, a deprecated component of Hyperledger Fabric, contains a critical vulnerability related to insecure deserialization. Specifically, the \u003ccode\u003eChannel.java\u003c/code\u003e file implements \u003ccode\u003ereadObject()\u003c/code\u003e and exposes \u003ccode\u003edeSerializeChannel()\u003c/code\u003e methods that call \u003ccode\u003eObjectInputStream.readObject()\u003c/code\u003e on untrusted byte arrays without configuring an \u003ccode\u003eObjectInputFilter\u003c/code\u003e. This omission allows an attacker to inject malicious serialized Java objects, leading to remote code execution (RCE). While \u003ccode\u003efabric-sdk-java\u003c/code\u003e has been deprecated since Hyperledger Fabric v2.5 and replaced by \u003ccode\u003eorg.hyperledger.fabric:fabric-gateway\u003c/code\u003e, organizations that have not yet migrated are still vulnerable. This issue highlights the risks associated with using deprecated software and the importance of migrating to supported versions. The vulnerability exists in versions 1.0.0 through 2.2.26.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious serialized Java object using a tool like \u003ccode\u003eysoserial\u003c/code\u003e. For example, \u003ccode\u003ejava -jar ysoserial.jar CommonsCollections6 \u0026quot;touch /tmp/pwned\u0026quot; \u0026gt; malicious_channel.ser\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to supply crafted serialized Channel bytes to the client application. This could involve compromising a local channel file.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious serialized data through an application that accepts Channel bytes from external sources.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003edeSerializeChannel()\u003c/code\u003e method in \u003ccode\u003eChannel.java\u003c/code\u003e is called with the attacker-controlled byte array.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003edeSerializeChannel()\u003c/code\u003e, an \u003ccode\u003eObjectInputStream\u003c/code\u003e is created from the byte array.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereadObject()\u003c/code\u003e method of \u003ccode\u003eObjectInputStream\u003c/code\u003e is called without any \u003ccode\u003eObjectInputFilter\u003c/code\u003e, deserializing the malicious object.\u003c/li\u003e\n\u003cli\u003eThe deserialization process triggers the execution of a gadget chain embedded in the malicious object.\u003c/li\u003e\n\u003cli\u003eThe gadget chain executes arbitrary code on the server, achieving RCE.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the server running the vulnerable \u003ccode\u003efabric-sdk-java\u003c/code\u003e application. This can lead to complete system compromise, data breaches, and other malicious activities. The severity is critical due to the potential for unauthenticated remote code execution. Organizations still using the deprecated \u003ccode\u003efabric-sdk-java\u003c/code\u003e are at high risk until they migrate to the supported \u003ccode\u003efabric-gateway\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eMigrate to \u003ccode\u003eorg.hyperledger.fabric:fabric-gateway\u003c/code\u003e immediately\u003c/strong\u003e as the primary remediation, as it does not use Java serialization.\u003c/li\u003e\n\u003cli\u003eFor organizations unable to migrate immediately, apply the suggested fix of adding an \u003ccode\u003eObjectInputFilter\u003c/code\u003e to whitelist only expected classes as described in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement runtime monitoring of Java deserialization to detect and prevent exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable logging of deserialization events to aid in incident response.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:41:58Z","date_published":"2026-04-29T20:41:58Z","id":"/briefs/2024-01-26-fabric-deserialization/","summary":"The deprecated fabric-sdk-java client SDK is vulnerable to Java deserialization RCE due to the use of ObjectInputStream.readObject() without an ObjectInputFilter in Channel.java, allowing remote code execution if an attacker can supply crafted serialized Channel bytes to the client application.","title":"Hyperledger Fabric SDK Java Deserialization RCE","url":"https://feed.craftedsignal.io/briefs/2024-01-26-fabric-deserialization/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-34965"}],"_cs_exploited":false,"_cs_products":["Cockpit CMS"],"_cs_severities":["critical"],"_cs_tags":["rce","code-injection","cockpit-cms"],"_cs_type":"advisory","_cs_vendors":["agentejo"],"content_html":"\u003cp\u003eCockpit CMS is vulnerable to remote code execution due to insufficient input validation in the \u003ccode\u003e/cockpit/collections/save_collection\u003c/code\u003e endpoint. An authenticated attacker with collection management privileges can inject arbitrary PHP code into collection rules parameters. This vulnerability, identified as CVE-2026-34965, allows attackers to inject malicious PHP code through rule parameters. The injected code is then written directly to server-side PHP files and executed via the \u003ccode\u003einclude()\u003c/code\u003e function, leading to arbitrary command execution on the underlying server. This poses a significant risk to organizations using Cockpit CMS, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Cockpit CMS application with valid collection management credentials.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the \u003ccode\u003e/cockpit/collections/save_collection\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious request to the \u003ccode\u003e/cockpit/collections/save_collection\u003c/code\u003e endpoint containing PHP code within collection rules parameters.\u003c/li\u003e\n\u003cli\u003eThe application saves the attacker-supplied PHP code into a PHP file on the server.\u003c/li\u003e\n\u003cli\u003eThe application uses the \u003ccode\u003einclude()\u003c/code\u003e function to execute the PHP file.\u003c/li\u003e\n\u003cli\u003eThe injected PHP code executes arbitrary commands on the underlying server, granting the attacker control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the underlying server. This can lead to complete system compromise, including data theft, modification, or deletion. Given the high CVSS score (8.8), this vulnerability poses a critical risk, especially for internet-facing Cockpit CMS installations. Organizations in any sector using Cockpit CMS are potentially affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of Cockpit CMS that addresses CVE-2026-34965 to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Cockpit CMS Save Collection Activity\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/cockpit/collections/save_collection\u003c/code\u003e with suspicious characters or PHP code in the request body, as detected by the Sigma rule \u003ccode\u003eDetect PHP Code Injection in Cockpit CMS Collections\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:29Z","date_published":"2026-04-29T20:16:29Z","id":"/briefs/2026-04-cockpit-rce/","summary":"Cockpit CMS is vulnerable to authenticated remote code execution via PHP code injection in the /cockpit/collections/save_collection endpoint, enabling attackers with collection management privileges to execute arbitrary commands on the server.","title":"Cockpit CMS Authenticated Remote Code Execution via Code Injection","url":"https://feed.craftedsignal.io/briefs/2026-04-cockpit-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2018-25308"}],"_cs_exploited":false,"_cs_products":["BuddyPress Xprofile Custom Fields Type"],"_cs_severities":["high"],"_cs_tags":["rce","file-deletion","wordpress"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBuddyPress Xprofile Custom Fields Type 2.6.3 is vulnerable to a remote code execution vulnerability, identified as CVE-2018-25308. This flaw enables authenticated users to execute arbitrary code on the server by deleting arbitrary files. The attack involves manipulating unescaped POST parameters, specifically \u003ccode\u003efield_hiddenfile\u003c/code\u003e and \u003ccode\u003efield_deleteimg\u003c/code\u003e, during profile editing actions. Successful exploitation allows attackers to unlink files from the server, potentially disrupting services or gaining unauthorized access. This vulnerability was published on 2026-04-29 and poses a significant threat to BuddyPress installations that have not applied the necessary patches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to a BuddyPress site running the vulnerable Xprofile Custom Fields Type 2.6.3 plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to their profile editing page.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the profile update endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the \u003ccode\u003efield_hiddenfile\u003c/code\u003e and \u003ccode\u003efield_deleteimg\u003c/code\u003e parameters are manipulated to point to arbitrary files on the server.\u003c/li\u003e\n\u003cli\u003eThe server-side script processes the crafted POST request without proper sanitization or validation of the file paths.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function or an equivalent file deletion function is called with the attacker-controlled file paths.\u003c/li\u003e\n\u003cli\u003eThe targeted files are deleted from the server file system.\u003c/li\u003e\n\u003cli\u003eThe attacker can potentially delete critical system files or web application files, leading to remote code execution or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-25308 allows authenticated attackers to delete arbitrary files on the server. This can lead to a denial-of-service condition if critical system files are removed. The vulnerability can also potentially lead to remote code execution if the attacker is able to delete and replace executable files or inject malicious code into configuration files. While the number of victims is unknown, all BuddyPress installations using the vulnerable plugin are susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for BuddyPress Xprofile Custom Fields Type to address CVE-2018-25308.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the server-side to prevent manipulation of file paths in POST parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests targeting the profile update endpoint with unusual \u003ccode\u003efield_hiddenfile\u003c/code\u003e and \u003ccode\u003efield_deleteimg\u003c/code\u003e parameter values (reference the attack chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect exploitation attempts based on the manipulation of specific POST parameters (reference the Sigma rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:26Z","date_published":"2026-04-29T20:16:26Z","id":"/briefs/2026-04-buddypress-rce/","summary":"CVE-2018-25308 is a remote code execution vulnerability in BuddyPress Xprofile Custom Fields Type 2.6.3 that allows authenticated users to delete arbitrary files on the server by manipulating POST parameters.","title":"BuddyPress Xprofile Custom Fields Type 2.6.3 Remote Code Execution via Arbitrary File Deletion","url":"https://feed.craftedsignal.io/briefs/2026-04-buddypress-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7466"}],"_cs_exploited":false,"_cs_products":["AgentFlow"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-7466","rce","code-injection"],"_cs_type":"advisory","_cs_vendors":["berabuddies"],"content_html":"\u003cp\u003eAgentFlow is susceptible to an arbitrary code execution vulnerability identified as CVE-2026-7466. This flaw stems from insufficient validation of the \u003ccode\u003epipeline_path\u003c/code\u003e parameter within the \u003ccode\u003e/api/runs\u003c/code\u003e and \u003ccode\u003e/api/runs/validate\u003c/code\u003e endpoints. By crafting malicious POST requests and supplying a user-controlled \u003ccode\u003epipeline_path\u003c/code\u003e, an attacker can induce the AgentFlow API to load and execute arbitrary Python pipeline files present on the server\u0026rsquo;s filesystem. Successful exploitation leads to code execution within the security context of the user running AgentFlow, potentially granting the attacker full control over the affected system. This vulnerability poses a significant threat to organizations utilizing AgentFlow, as it can lead to data breaches, system compromise, and other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an AgentFlow instance running a vulnerable version.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a POST request to the \u003ccode\u003e/api/runs\u003c/code\u003e endpoint, including a \u003ccode\u003epipeline_path\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epipeline_path\u003c/code\u003e parameter is set to the path of a malicious Python file already existing on the AgentFlow server (or uploaded previously through other means).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious POST request to the \u003ccode\u003e/api/runs\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eAgentFlow processes the request without properly validating the \u003ccode\u003epipeline_path\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAgentFlow loads and executes the Python file specified in the \u003ccode\u003epipeline_path\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled Python code executes with the privileges of the AgentFlow process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution, potentially leading to complete system compromise, data exfiltration, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7466 allows an attacker to execute arbitrary code on the AgentFlow server. This can lead to a complete compromise of the system, including the theft of sensitive data, modification of critical system files, or the installation of backdoors for persistent access. The severity of the impact depends on the privileges of the user account running AgentFlow, but in many cases, it can lead to full system administrator access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003epipeline_path\u003c/code\u003e parameter within the \u003ccode\u003e/api/runs\u003c/code\u003e and \u003ccode\u003e/api/runs/validate\u003c/code\u003e endpoints to prevent arbitrary file loading and execution.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/api/runs\u003c/code\u003e and \u003ccode\u003e/api/runs/validate\u003c/code\u003e containing suspicious \u003ccode\u003epipeline_path\u003c/code\u003e values (see example Sigma rule below).\u003c/li\u003e\n\u003cli\u003eRestrict file system permissions to limit the ability of the AgentFlow user to read and execute arbitrary Python files.\u003c/li\u003e\n\u003cli\u003eApply available patches or updates for AgentFlow as soon as they are released to address this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T19:16:27Z","date_published":"2026-04-29T19:16:27Z","id":"/briefs/2026-04-agentflow-rce/","summary":"AgentFlow is vulnerable to arbitrary code execution (CVE-2026-7466) by manipulating the `pipeline_path` parameter in POST requests to `/api/runs` and `/api/runs/validate`, allowing attackers to execute arbitrary Python code.","title":"AgentFlow Arbitrary Code Execution via Pipeline Path Manipulation (CVE-2026-7466)","url":"https://feed.craftedsignal.io/briefs/2026-04-agentflow-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-40976"},{"cvss":7,"id":"CVE-2026-40973"},{"cvss":7.5,"id":"CVE-2026-40972"}],"_cs_exploited":false,"_cs_products":["Spring Boot"],"_cs_severities":["critical"],"_cs_tags":["spring-boot","vulnerability","rce","authentication-bypass","session-hijacking"],"_cs_type":"advisory","_cs_vendors":["Spring"],"content_html":"\u003cp\u003eA set of critical vulnerabilities has been discovered in Spring Boot, a widely used Java framework for building web applications and backend services. These vulnerabilities, including CVE-2026-40976 (CVSS 9.1), CVE-2026-40973 (CVSS 7.0), and CVE-2026-40972 (CVSS 7.5), pose a significant threat to organizations using affected versions (specifically versions before 4.0.6, 3.5.14, 3.4.16, 3.3.19, and 2.7.33). Successful exploitation could lead to unauthorized access, session hijacking, and remote code execution, impacting the confidentiality, integrity, and availability of critical business systems. The initial advisory was released by CCB Belgium on April 28, 2026, urging immediate patching.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (CVE-2026-40976 - Authentication Bypass):\u003c/strong\u003e An attacker sends a crafted HTTP request to a vulnerable Spring Boot application endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploit Default Configuration:\u003c/strong\u003e If the application is servlet-based, relies on the default Spring Security filter chain, depends on spring-boot-actuator-autoconfigure, and does not depend on spring-boot-health, the default web security configuration fails to enforce authorization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Access:\u003c/strong\u003e Due to the authorization bypass, the attacker gains unauthorized access to all application endpoints without proper authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSession Hijacking (CVE-2026-40973):\u003c/strong\u003e A local attacker exploits the vulnerability to take control of the ApplicationTemp directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution (CVE-2026-40973):\u003c/strong\u003e Once in control of the ApplicationTemp directory, the attacker can potentially execute arbitrary code within the context of the application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTiming Attack (CVE-2026-40972):\u003c/strong\u003e An attacker on the same network conducts a timing attack against the DevTools remote secret.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution (CVE-2026-40972):\u003c/strong\u003e By successfully exploiting the timing attack, the attacker can potentially achieve remote code execution on the vulnerable server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker gains full control of the system, allowing for data exfiltration, system compromise, and operational downtime.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these Spring Boot vulnerabilities can lead to significant damage, including unauthorized access to sensitive data, complete system compromise, and extended operational downtime. The potential number of victims is vast, considering the widespread use of Spring Boot in various sectors including finance, healthcare, and e-commerce. If an attacker successfully exploits these vulnerabilities, they could steal sensitive customer data, disrupt critical business operations, or deploy ransomware, resulting in significant financial losses and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch Spring Boot applications to the latest versions (\u0026gt;=4.0.6, \u0026gt;=3.5.14, \u0026gt;=3.4.16, \u0026gt;=3.3.19, \u0026gt;=2.7.33) to address CVE-2026-40976, CVE-2026-40973, and CVE-2026-40972.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Access to Actuator Endpoints\u0026rdquo; to identify potential exploitation attempts targeting CVE-2026-40976 by monitoring access to sensitive actuator endpoints.\u003c/li\u003e\n\u003cli\u003eUpscale monitoring and detection capabilities to identify any related suspicious activity as recommended by the CCB.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any potentially compromised systems following the patching process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-spring-boot-vulns/","summary":"Multiple vulnerabilities in Spring Boot, including CVE-2026-40976, CVE-2026-40973, and CVE-2026-40972, can allow attackers to bypass authorization, hijack sessions, or achieve remote code execution, potentially leading to data breaches and system compromise.","title":"Multiple Vulnerabilities in Spring Boot Allow Authorization Bypass and Potential RCE","url":"https://feed.craftedsignal.io/briefs/2026-04-spring-boot-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-41635"}],"_cs_exploited":false,"_cs_products":["MINA 2.0","MINA 2.1","MINA 2.2"],"_cs_severities":["critical"],"_cs_tags":["apache-mina","rce","deserialization","cve-2026-41635"],"_cs_type":"advisory","_cs_vendors":["Apache"],"content_html":"\u003cp\u003eA critical arbitrary code execution vulnerability, CVE-2026-41635, has been identified in Apache MINA, an open-source network application framework. The vulnerability affects versions 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, and 2.2.0 through 2.2.5. The flaw lies within the AbstractIoBuffer.resolveClass() method, where a branch lacks class validation, bypassing the classname allowlist. This allows remote attackers with low privileges to execute arbitrary code on systems using Apache MINA when the IoBuffer.getObject() method is called. Successful exploitation can lead to full system compromise, data exfiltration, and further attacks on interconnected systems. It is imperative that organizations using Apache MINA apply the necessary patches immediately to mitigate this critical risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable application using Apache MINA versions 2.0.0-2.0.27, 2.1.0-2.1.10, or 2.2.0-2.2.5.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing serialized Java objects designed to exploit the class validation bypass in \u003ccode\u003eAbstractIoBuffer.resolveClass()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a network request to the vulnerable application that triggers the \u003ccode\u003eIoBuffer.getObject()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eIoBuffer.getObject()\u003c/code\u003e method deserializes the attacker-controlled data without proper class validation due to the flaw in \u003ccode\u003eAbstractIoBuffer.resolveClass()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious serialized object executes arbitrary code within the context of the application.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the application server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses their access to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41635 allows attackers to execute arbitrary code on systems utilizing vulnerable versions of Apache MINA. This can lead to a full compromise of the affected system, including data exfiltration, denial of service, or further attacks on interconnected systems. The vulnerability is remotely exploitable with low privileges, increasing the potential for widespread impact across various sectors relying on Apache MINA for network communication. A successful attack poses a high risk to the confidentiality, integrity, and availability of affected systems and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch Apache MINA to the latest version to remediate CVE-2026-41635, as recommended by the vendor advisory (\u003ca href=\"https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm)\"\u003ehttps://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect suspicious activity related to deserialization attempts, as suggested by the CCB\u0026rsquo;s recommendation to upscale monitoring capabilities.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Apache MINA Vulnerable Class Deserialization Attempt\u0026rdquo; to identify potential exploitation attempts based on suspicious class names in network traffic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-27T16:09:56Z","date_published":"2026-04-27T16:09:56Z","id":"/briefs/2026-04-apache-mina-rce/","summary":"A critical arbitrary code execution vulnerability (CVE-2026-41635) exists in Apache MINA versions 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, and 2.2.0 through 2.2.5 due to missing class validation in the AbstractIoBuffer.resolveClass() method, potentially allowing attackers to execute arbitrary code on applications using Apache MINA.","title":"Apache MINA Arbitrary Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-apache-mina-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-6992"}],"_cs_exploited":false,"_cs_products":["MR9600 (2.0.6.206937)"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6992","command-injection","router","rce"],"_cs_type":"advisory","_cs_vendors":["Linksys"],"content_html":"\u003cp\u003eA command injection vulnerability, CVE-2026-6992, affects the Linksys MR9600 router, specifically version 2.0.6.206937. The vulnerability resides in the JNAP Action Handler component within the \u003ccode\u003e/etc/init.d/run_central2.sh\u003c/code\u003e script. Attackers can remotely exploit this flaw by manipulating the \u003ccode\u003epin\u003c/code\u003e argument passed to the \u003ccode\u003eBTRequestGetSmartConnectStatus\u003c/code\u003e function. This allows for the execution of arbitrary operating system commands on the affected device. A public exploit is available, increasing the risk of exploitation. The vendor was notified but did not respond.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the Linksys MR9600 router.\u003c/li\u003e\n\u003cli\u003eThe request targets the JNAP Action Handler component, specifically the \u003ccode\u003e/etc/init.d/run_central2.sh\u003c/code\u003e script.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eBTRequestGetSmartConnectStatus\u003c/code\u003e function is invoked by the crafted request.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious OS commands within the \u003ccode\u003epin\u003c/code\u003e argument of the \u003ccode\u003eBTRequestGetSmartConnectStatus\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s firmware processes the request, failing to properly sanitize the \u003ccode\u003epin\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe injected OS commands are executed with the privileges of the running process, potentially \u003ccode\u003eroot\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the router, potentially allowing for further malicious activities, such as network traffic interception or modification of router settings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6992 allows a remote attacker to execute arbitrary commands on the Linksys MR9600 router. This can lead to a complete compromise of the device, allowing the attacker to monitor network traffic, change router configurations, or use the router as a foothold for further attacks within the network. Given the availability of a public exploit, the risk of widespread exploitation is high.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2026-6992 Exploitation Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eApply the Sigma rule \u003ccode\u003eDetect Suspicious Shell Activity via Web Request\u003c/code\u003e to detect potential command injection attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing suspicious characters in the \u003ccode\u003ecs-uri-query\u003c/code\u003e field that target \u003ccode\u003e/etc/init.d/run_central2.sh\u003c/code\u003e to uncover exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-26T12:00:00Z","date_published":"2026-04-26T12:00:00Z","id":"/briefs/2026-04-linksys-rce/","summary":"CVE-2026-6992 is a command injection vulnerability in the Linksys MR9600 router that allows remote attackers to execute arbitrary OS commands by manipulating the 'pin' argument in the BTRequestGetSmartConnectStatus function.","title":"Linksys MR9600 Command Injection Vulnerability (CVE-2026-6992)","url":"https://feed.craftedsignal.io/briefs/2026-04-linksys-rce/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-41176"},{"id":"CVE-2026-41179"}],"_cs_exploited":true,"_cs_products":["Rclone"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","rce","cloud"],"_cs_type":"threat","_cs_vendors":["Rclone"],"content_html":"\u003cp\u003eTwo critical unauthenticated remote code execution vulnerabilities, CVE-2026-41176 and CVE-2026-41179, have been discovered in Rclone versions prior to 1.73.5. Rclone is a command-line program used to manage files on cloud storage services. These vulnerabilities can be exploited if the Rclone remote control (RC) API is enabled without proper authentication (e.g., \u003ccode\u003e--rc-user/--rc-pass/--rc-htpasswd\u003c/code\u003e). An attacker with network access to a vulnerable Rclone instance can bypass authentication, execute arbitrary commands, and potentially gain full system compromise. As organizations increasingly rely on cloud storage, vulnerabilities in tools like Rclone can have significant impact by enabling data theft and lateral movement. The vulnerabilities were reported on April 24, 2026, with no known active exploitation as of April 23, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target system running Rclone with the RC API enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the RC API is exposed on a reachable network address (e.g., not only localhost) and is not protected by HTTP authentication.\u003c/li\u003e\n\u003cli\u003eFor CVE-2026-41179, the attacker sends a single crafted HTTP request to the RC endpoint, leveraging the WebDAV backend initialization process.\u003c/li\u003e\n\u003cli\u003eThis crafted request triggers the execution of arbitrary commands on the target system without authentication.\u003c/li\u003e\n\u003cli\u003eFor CVE-2026-41176, the attacker bypasses authentication controls to access sensitive administrative functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates Rclone configuration or invokes operational RC methods to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker gains local file read/write access, potentially stealing sensitive data or uploading malicious payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full system compromise, enabling data theft, lateral movement within the network, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41176 and CVE-2026-41179 can lead to full system compromise, data theft, lateral movement, or denial of service. Specifically, attackers can achieve local file read, file write, or shell access, depending on the environment. The impact includes potential exposure of sensitive cloud data and configurations, which could compromise the integrity and confidentiality of stored information. Given Rclone\u0026rsquo;s popularity among organizations managing cloud storage, a successful attack could affect a large number of victims across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Rclone to version 1.73.5 or later to patch CVE-2026-41176 and CVE-2026-41179 as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eEnable global HTTP authentication on RC servers using \u003ccode\u003e--rc-user\u003c/code\u003e, \u003ccode\u003e--rc-pass\u003c/code\u003e, or \u003ccode\u003e--rc-htpasswd\u003c/code\u003e to mitigate the unauthenticated access, as mentioned in the description of the vulnerabilities.\u003c/li\u003e\n\u003cli\u003eImplement network-level controls (e.g., firewall rules) to restrict access to RC server endpoints and the RC service, as suggested by CCB.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Rclone RC API Access Without Authentication\u0026rdquo; to identify potentially vulnerable Rclone instances within your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-25T12:00:00Z","date_published":"2026-04-25T12:00:00Z","id":"/briefs/2026-04-rclone-rce/","summary":"Rclone versions prior to 1.73.5 are vulnerable to two critical unauthenticated remote code execution vulnerabilities (CVE-2026-41176 and CVE-2026-41179) when the remote control API is enabled without authentication, potentially allowing attackers to execute arbitrary commands and compromise the system.","title":"Rclone Unauthenticated Remote Code Execution Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-04-rclone-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41316"}],"_cs_exploited":false,"_cs_products":["ERB"],"_cs_severities":["critical"],"_cs_tags":["deserialization","rce","ruby","rails"],"_cs_type":"advisory","_cs_vendors":["RubyGems"],"content_html":"\u003cp\u003eRuby versions before ERB 2.2.0 implemented an \u003ccode\u003e@_init\u003c/code\u003e instance variable guard in \u003ccode\u003eERB#result\u003c/code\u003e and \u003ccode\u003eERB#run\u003c/code\u003e to prevent code execution upon deserialization via \u003ccode\u003eMarshal.load\u003c/code\u003e. This guard is intended to block execution when an ERB object is reconstructed from untrusted data. However, the methods \u003ccode\u003eERB#def_method\u003c/code\u003e, \u003ccode\u003eERB#def_module\u003c/code\u003e, and \u003ccode\u003eERB#def_class\u003c/code\u003e were not given the same protection, creating a bypass. An attacker capable of triggering \u003ccode\u003eMarshal.load\u003c/code\u003e on untrusted data in a Ruby application with the \u003ccode\u003eerb\u003c/code\u003e gem loaded can exploit \u003ccode\u003eERB#def_module\u003c/code\u003e (using its zero-argument, default-parameter form) as a code execution sink. This bypass impacts Ruby on Rails applications that import untrusted serialized data, Ruby tools employing \u003ccode\u003eMarshal.load\u003c/code\u003e for caching or IPC, and legacy Rails applications (pre-7.0) utilizing Marshal for cookie session serialization. This bypass renders the \u003ccode\u003e@_init\u003c/code\u003e mitigation ineffective across all ERB versions from 2.2.0 through 6.0.3. Combined with the DeprecatedInstanceVariableProxy gadget (present in all ActiveSupport versions through 7.2.3), this enables a universal RCE gadget chain for Ruby 3.2+ applications using Rails. The vulnerability is identified as CVE-2026-41316.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious Ruby object containing an \u003ccode\u003eERB\u003c/code\u003e instance and/or an \u003ccode\u003eActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\u003c/code\u003e instance.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eERB\u003c/code\u003e instance has its \u003ccode\u003e@src\u003c/code\u003e instance variable set to a string containing malicious code with the \u0026ldquo;end\\nsystem(\u0026lsquo;id\u0026rsquo;)\\ndef x\u0026rdquo; payload.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application calls \u003ccode\u003eMarshal.load\u003c/code\u003e on the crafted object, triggering deserialization.\u003c/li\u003e\n\u003cli\u003eDuring deserialization, the \u003ccode\u003eDeprecatedInstanceVariableProxy\u003c/code\u003e is instantiated (if used), which then invokes the \u003ccode\u003eERB#def_module\u003c/code\u003e method via \u003ccode\u003emethod_missing\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eERB#def_module\u003c/code\u003e method calls \u003ccode\u003eERB#def_method\u003c/code\u003e without checking the \u003ccode\u003e@_init\u003c/code\u003e guard.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003eERB#def_method\u003c/code\u003e, the malicious code in \u003ccode\u003e@src\u003c/code\u003e is wrapped in a method definition and evaluated via \u003ccode\u003emodule_eval\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;end\\nsystem(\u0026lsquo;id\u0026rsquo;)\\ndef x\u0026rdquo; payload causes the \u003ccode\u003esystem('id')\u003c/code\u003e command to execute during the \u003ccode\u003emodule_eval\u003c/code\u003e call, bypassing the intended deserialization protection.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the target system, gaining the ability to perform malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to execute arbitrary code on the target system. This affects Ruby applications, including Ruby on Rails, which use \u003ccode\u003eMarshal.load\u003c/code\u003e on untrusted data. Specific impact includes potential compromise of web servers and the ability to read sensitive files, modify data, or install malware. Vulnerable applications include those using \u003ccode\u003eMarshal.load\u003c/code\u003e for caching, data import, or IPC, and legacy Rails applications (pre-7.0) using Marshal for cookie session serialization. This bypass renders the @_init mitigation ineffective across all ERB versions from 2.2.0 through 6.0.3.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade your erb gem to version 4.0.3.1, 4.0.4.1, 6.0.1.1, or 6.0.4 to patch the vulnerability as described in the \u0026ldquo;Patches\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eAvoid using \u003ccode\u003eMarshal.load\u003c/code\u003e on untrusted data, as it is inherently unsafe. Consider using alternative serialization formats like JSON or YAML.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect ERB def_module Code Execution via Deserialization\u0026rdquo; Sigma rule to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-25T12:00:00Z","date_published":"2026-04-25T12:00:00Z","id":"/briefs/2026-04-erb-deserialization/","summary":"A deserialization vulnerability exists in Ruby ERB versions before 4.0.3.1, version 4.0.4, ERB versions 5.0.0 before 6.0.1.1, and ERB versions 6.0.2 before 6.0.4. The `@_init` instance variable guard in `ERB#result` and `ERB#run` can be bypassed via `ERB#def_module`, `ERB#def_method`, and `ERB#def_class`, allowing arbitrary code execution when an ERB object is reconstructed via `Marshal.load` on untrusted data.","title":"ERB Deserialization Bypass via def_module/def_method/def_class","url":"https://feed.craftedsignal.io/briefs/2026-04-erb-deserialization/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Gemini CLI","run-gemini-cli GitHub Action"],"_cs_severities":["critical"],"_cs_tags":["rce","supply-chain","github-actions"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eGemini CLI (\u003ccode\u003e@google/gemini-cli\u003c/code\u003e) versions prior to 0.39.1 and version 0.40.0-preview.2, along with the \u003ccode\u003erun-gemini-cli\u003c/code\u003e GitHub Action versions prior to 0.1.22, are susceptible to remote code execution due to insecure workspace trust handling and tool allowlisting bypasses. The vulnerability arises from the automatic trust of workspace folders in headless mode, allowing malicious environment variables within the \u003ccode\u003e.gemini/\u003c/code\u003e directory to be exploited. Furthermore, in \u003ccode\u003e--yolo\u003c/code\u003e mode, the tool allowlist was previously ignored, enabling prompt injection and code execution via commands like \u003ccode\u003erun_shell_command\u003c/code\u003e. This poses a risk, especially in CI/CD environments that process untrusted inputs such as pull requests. The patched version 0.39.1 enforces explicit folder trust in headless mode and properly evaluates tool allowlists under \u003ccode\u003e--yolo\u003c/code\u003e, mitigating these risks. This impacts all Gemini CLI GitHub Actions and requires users to review their workflows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker submits a malicious pull request to a repository using Gemini CLI in a GitHub Actions workflow.\u003c/li\u003e\n\u003cli\u003eThe workflow, running in headless mode, automatically trusts the workspace folder (versions prior to 0.39.1).\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s pull request includes a crafted \u003ccode\u003e.gemini/\u003c/code\u003e directory containing malicious environment variables.\u003c/li\u003e\n\u003cli\u003eGemini CLI loads the malicious environment variables, leading to code execution.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker injects a malicious prompt leveraging \u003ccode\u003erun_shell_command\u003c/code\u003e when \u003ccode\u003e--yolo\u003c/code\u003e is used.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erun_shell_command\u003c/code\u003e executes arbitrary commands on the runner due to the bypassed tool allowlist (versions prior to 0.39.1).\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the CI/CD runner, potentially exfiltrating secrets or injecting malicious code into the deployment pipeline.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to code execution on the CI/CD runner, data exfiltration, or supply chain compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability impacts workflows utilizing Gemini CLI in headless mode, particularly those processing untrusted inputs such as pull requests from external contributors. Successful exploitation can lead to remote code execution on the CI/CD runner, potentially enabling attackers to exfiltrate sensitive information, such as API keys and credentials, or inject malicious code into the application deployment pipeline. This can lead to a supply chain compromise. All Gemini CLI GitHub Actions are affected, requiring users to review and update their workflows.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@google/gemini-cli\u003c/code\u003e to version 0.39.1 or later, or 0.40.0-preview.3 if using a preview version.\u003c/li\u003e\n\u003cli\u003eUpgrade \u003ccode\u003eactions/google-github-actions/run-gemini-cli\u003c/code\u003e to version 0.1.22 or later.\u003c/li\u003e\n\u003cli\u003eFor workflows running on trusted inputs, set \u003ccode\u003eGEMINI_TRUST_WORKSPACE: 'true'\u003c/code\u003e in the GitHub Actions workflow.\u003c/li\u003e\n\u003cli\u003eFor workflows processing untrusted inputs, review the hardening guidance in \u003ca href=\"https://github.com/google-github-actions/run-gemini-cli\"\u003egoogle-github-actions/run-gemini-cli\u003c/a\u003e and set the environment variable accordingly.\u003c/li\u003e\n\u003cli\u003eReview and harden tool allowlists in \u003ccode\u003e~/.gemini/settings.json\u003c/code\u003e to restrict the commands that can be executed, especially when using the \u003ccode\u003e--yolo\u003c/code\u003e flag.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T19:30:01Z","date_published":"2026-04-24T19:30:01Z","id":"/briefs/2026-04-gemini-cli-rce/","summary":"Gemini CLI is vulnerable to remote code execution via workspace trust and tool allowlisting bypasses, impacting headless mode and GitHub Actions workflows.","title":"Gemini CLI Remote Code Execution via Workspace Trust and Tool Allowlisting Bypasses","url":"https://feed.craftedsignal.io/briefs/2026-04-gemini-cli-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-39920"}],"_cs_exploited":false,"_cs_products":["FileStore","Axis2"],"_cs_severities":["critical"],"_cs_tags":["rce","cve-2026-39920","apache axis2","default credentials","web service"],"_cs_type":"advisory","_cs_vendors":["BridgeHead Software","Apache"],"content_html":"\u003cp\u003eBridgeHead FileStore versions prior to 24A, released in early 2024, expose a critical security vulnerability. Specifically, the Apache Axis2 administration module is accessible on network endpoints with default credentials. This flaw allows unauthenticated remote attackers to execute arbitrary operating system commands. The vulnerability stems from insecure default configurations within the FileStore application and the underlying Axis2 web service framework. Successful exploitation grants complete control over the affected system, potentially leading to data breaches, system compromise, and further lateral movement within the network. This vulnerability poses a significant risk to organizations using vulnerable versions of BridgeHead FileStore.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a BridgeHead FileStore instance running a vulnerable version of the software on a network-accessible endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the Apache Axis2 administration console, which is exposed due to a misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Axis2 admin console using default credentials, bypassing authentication controls.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious Java archive (WAR file) containing a web service designed to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys the malicious web service through the Axis2 administration interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a SOAP request to the deployed malicious web service, embedding the operating system command to be executed.\u003c/li\u003e\n\u003cli\u003eThe vulnerable FileStore instance processes the SOAP request, executing the attacker-controlled command on the host operating system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution, achieving complete control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39920 allows unauthenticated attackers to execute arbitrary OS commands on systems running vulnerable versions of BridgeHead FileStore. This can lead to complete system compromise, data breaches, denial of service, and further lateral movement within the network. While the exact number of affected organizations is unknown, the widespread use of BridgeHead FileStore in data protection and archiving scenarios makes this a critical vulnerability. The consequences of a successful attack could include the loss of sensitive data, disruption of business operations, and significant financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the update to FileStore version 24A or later to remediate the vulnerability as mentioned in the product updates page (\u003ca href=\"https://www.bridgeheadsoftware.com/rapid-data-protection-product-updates/\"\u003ehttps://www.bridgeheadsoftware.com/rapid-data-protection-product-updates/\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the Axis2 administration console (\u003ccode\u003e/axis2/servlet/AdminServlet\u003c/code\u003e) as it is a key component of the exploitation. Use the \u0026ldquo;Detect Axis2 Admin Access\u0026rdquo; Sigma rule to identify unauthorized access attempts.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the exposure of BridgeHead FileStore instances and the Axis2 administration module.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong authentication policies for all web-based administration interfaces.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T16:16:36Z","date_published":"2026-04-24T16:16:36Z","id":"/briefs/2026-04-bridgehead-filestore-rce/","summary":"BridgeHead FileStore versions prior to 24A are vulnerable to unauthenticated remote code execution via exposed Apache Axis2 administration module with default credentials, enabling attackers to upload malicious web services and execute arbitrary OS commands.","title":"BridgeHead FileStore Unauthenticated Remote Code Execution via Apache Axis2","url":"https://feed.craftedsignal.io/briefs/2026-04-bridgehead-filestore-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-41355"}],"_cs_exploited":false,"_cs_products":["OpenShell"],"_cs_severities":["high"],"_cs_tags":["cve","rce","openshell"],"_cs_type":"advisory","_cs_vendors":["OpenShell"],"content_html":"\u003cp\u003eOpenShell, a popular start menu replacement for Windows, is vulnerable to arbitrary code execution. Specifically, versions prior to 2026.3.28 are susceptible to CVE-2026-41355, which allows attackers with \u0026ldquo;mirror mode\u0026rdquo; access to execute arbitrary code. This vulnerability stems from the insecure conversion of untrusted sandbox files into workspace hooks. An attacker can leverage this flaw to inject malicious code that executes during the OpenShell gateway startup process, gaining control over the host system. This poses a significant risk to systems where OpenShell is used, especially in environments where multiple users or sandboxed applications are present. Successful exploitation allows for complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains low-privilege access to a system with OpenShell installed and \u0026ldquo;mirror mode\u0026rdquo; enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious sandbox file containing embedded code.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages OpenShell\u0026rsquo;s mirror mode to convert the untrusted sandbox file into a workspace hook.\u003c/li\u003e\n\u003cli\u003eOpenShell improperly handles the conversion, failing to sanitize the malicious code within the workspace hook.\u003c/li\u003e\n\u003cli\u003eThe system restarts or the OpenShell gateway service is initialized.\u003c/li\u003e\n\u003cli\u003eDuring the gateway startup, OpenShell executes the injected malicious code from the compromised workspace hook.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution within the context of the OpenShell process.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges or performs other malicious actions, such as installing malware or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41355 allows an attacker to execute arbitrary code on a vulnerable system. This can lead to complete system compromise, including data theft, malware installation, and denial of service. The vulnerability is particularly dangerous in multi-user environments or systems using sandboxed applications, as it allows attackers to break out of the sandbox and gain control over the host. While the exact number of affected systems is unknown, any system running OpenShell prior to version 2026.3.28 with mirror mode enabled is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenShell to version 2026.3.28 or later to patch CVE-2026-41355.\u003c/li\u003e\n\u003cli\u003eDisable \u0026ldquo;mirror mode\u0026rdquo; in OpenShell if it is not required, reducing the attack surface.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetectSuspiciousOpenShellMirrorMode\u003c/code\u003e to detect potential exploitation attempts by monitoring process creations related to OpenShell with specific command-line arguments.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to activate the \u003ccode\u003eDetectSuspiciousOpenShellMirrorMode\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T12:00:00Z","date_published":"2026-04-24T12:00:00Z","id":"/briefs/2026-04-openshell-rce/","summary":"OpenShell before 2026.3.28 is vulnerable to arbitrary code execution via mirror mode when converting untrusted sandbox files into workspace hooks, allowing attackers with mirror mode access to execute code during gateway startup.","title":"OpenShell Arbitrary Code Execution Vulnerability (CVE-2026-41355)","url":"https://feed.craftedsignal.io/briefs/2026-04-openshell-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-41352"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["critical"],"_cs_tags":["rce","vulnerability","cve-2026-41352"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.3.31 suffers from a remote code execution vulnerability (CVE-2026-41352). This flaw exists because a device-paired node can bypass the node scope gate authentication mechanism. An attacker who has already obtained device pairing credentials can exploit this vulnerability to execute arbitrary node commands on the host system. This occurs because the application doesn\u0026rsquo;t perform adequate node pairing validation, allowing malicious actors to potentially gain complete control over the affected system if successfully exploited. Defenders should prioritize patching to version 2026.3.31 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the OpenClaw system. This may involve social engineering or other means of obtaining device pairing credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the device pairing credentials to authenticate to a device-paired node.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute a node command on the host system.\u003c/li\u003e\n\u003cli\u003eDue to the missing authorization check (CWE-862), the node scope gate authentication mechanism is bypassed.\u003c/li\u003e\n\u003cli\u003eThe system incorrectly validates the request, failing to properly verify node pairing.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully executes an arbitrary node command on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges, potentially gaining full control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform malicious activities such as data exfiltration, system compromise, or lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41352 allows an attacker with valid device pairing credentials to execute arbitrary commands on the host system. This can lead to a complete compromise of the OpenClaw system and potentially the entire network. The number of potential victims is dependent on the number of deployments of OpenClaw before version 2026.3.31. The impact includes data breaches, system downtime, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41352.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw systems for unauthorized command execution attempts. While no specific IOCs are available, monitor for unexpected process executions originating from the OpenClaw application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T12:00:00Z","date_published":"2026-04-24T12:00:00Z","id":"/briefs/2026-04-openclaw-rce/","summary":"OpenClaw before 2026.3.31 is vulnerable to remote code execution (CVE-2026-41352) because a device-paired node can bypass the node scope gate authentication mechanism, allowing attackers with device pairing credentials to execute arbitrary node commands.","title":"OpenClaw Remote Code Execution via Node Scope Gate Bypass (CVE-2026-41352)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-39987"}],"_cs_exploited":false,"_cs_products":["Marimo"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-39987","rce","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Marimo"],"content_html":"\u003cp\u003eA pre-authentication remote code execution vulnerability, CVE-2026-39987, exists within the Marimo application. This vulnerability allows an unauthenticated attacker to gain shell access and execute arbitrary system commands on the affected system. Given the nature of the vulnerability, all versions of Marimo are potentially affected unless patched or mitigated. Successful exploitation could lead to complete system compromise, data theft, or denial of service. The vulnerability was publicly disclosed in April 2026 and organizations using Marimo should take immediate action to address it.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a specially crafted request to the Marimo server.\u003c/li\u003e\n\u003cli\u003eThe Marimo application fails to properly validate or sanitize the input within the request.\u003c/li\u003e\n\u003cli\u003eThis input is processed by the server without proper authorization checks.\u003c/li\u003e\n\u003cli\u003eDue to the lack of input validation, the attacker injects malicious code into the application.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed with the privileges of the Marimo process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains shell access to the underlying operating system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary system commands, potentially installing malware or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence for continued access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39987 allows an unauthenticated attacker to execute arbitrary system commands on a server running Marimo. This could lead to complete compromise of the system, including data theft, malware installation, or denial of service. The number of potential victims is dependent on the number of Marimo deployments, but given the pre-authentication nature of the vulnerability, any unpatched instance is at risk. Sectors particularly at risk are those relying on Marimo for critical services or data management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply mitigations provided by the vendor to address CVE-2026-39987 or discontinue use of the product.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Marimo Exploitation Attempt\u0026rdquo; to identify potential exploitation attempts targeting CVE-2026-39987 within web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious outbound connections originating from Marimo servers, which could indicate successful exploitation.\u003c/li\u003e\n\u003cli\u003eFollow applicable BOD 22-01 guidance for cloud services if Marimo is deployed in a cloud environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T12:00:00Z","date_published":"2026-04-24T12:00:00Z","id":"/briefs/2026-04-marimo-rce/","summary":"CVE-2026-39987 is a pre-authentication remote code execution vulnerability in Marimo, enabling unauthenticated attackers to execute arbitrary system commands.","title":"Marimo Pre-Authentication Remote Code Execution Vulnerability (CVE-2026-39987)","url":"https://feed.craftedsignal.io/briefs/2026-04-marimo-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":4.3,"id":"CVE-2026-33227"},{"cvss":8.8,"id":"CVE-2026-34197"},{"cvss":7.5,"id":"CVE-2026-40046"},{"cvss":7.5,"id":"CVE-2026-39304"},{"cvss":8.8,"id":"CVE-2026-40466"}],"_cs_exploited":false,"_cs_products":["ActiveMQ"],"_cs_severities":["critical"],"_cs_tags":["activemq","rce","xss","apache"],"_cs_type":"advisory","_cs_vendors":["Apache"],"content_html":"\u003cp\u003eMultiple vulnerabilities in Apache ActiveMQ allow a remote, authenticated attacker to execute arbitrary code or perform cross-site scripting (XSS) attacks. While specific CVEs and attack vectors are not detailed in this advisory, the presence of both RCE and XSS vulnerabilities suggests a high risk to organizations using affected versions of ActiveMQ. Exploitation requires authentication, implying that attackers may need to compromise credentials or exploit other vulnerabilities to gain initial access. This combination of vulnerabilities could lead to complete system compromise, data theft, or service disruption. The lack of specific version information makes it crucial for organizations to identify and patch all potentially vulnerable ActiveMQ instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains valid credentials to access the ActiveMQ management console or API, potentially through credential stuffing, phishing, or exploiting other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eAuthentication: The attacker authenticates to the ActiveMQ instance using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eVulnerability Exploitation (RCE): The attacker exploits a deserialization or other RCE vulnerability to inject malicious code into the ActiveMQ server. This may involve crafting a specific message or request to trigger the vulnerability.\u003c/li\u003e\n\u003cli\u003eCode Execution: The injected code executes within the context of the ActiveMQ server process, granting the attacker control over the system.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (if necessary): The attacker attempts to escalate privileges to gain root or system-level access, depending on the initial privileges of the ActiveMQ process.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the compromised ActiveMQ server as a pivot point to move laterally within the network, targeting other systems and resources.\u003c/li\u003e\n\u003cli\u003eVulnerability Exploitation (XSS): Simultaneously or independently, the attacker exploits an XSS vulnerability within the ActiveMQ web console. This may involve injecting malicious JavaScript code into the console.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker deploys ransomware, exfiltrates sensitive data, or disrupts critical services, depending on their objectives. The XSS vulnerability allows the attacker to steal administrator cookies or inject further malicious content.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to complete compromise of the ActiveMQ server, potentially affecting all connected systems and applications. The lack of specifics makes it difficult to determine the exact number of potential victims; however, given the widespread use of ActiveMQ in enterprise environments, the impact could be significant. Consequences include data breaches, service disruption, financial loss, and reputational damage. The combination of RCE and XSS vulnerabilities allows attackers to pursue a wide range of malicious objectives, from data theft to system destruction.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify all Apache ActiveMQ instances within your environment and determine their versions.\u003c/li\u003e\n\u003cli\u003eConsult the Apache ActiveMQ security advisories to identify specific vulnerabilities affecting your versions and apply the necessary patches.\u003c/li\u003e\n\u003cli\u003eImplement strong authentication and authorization controls to restrict access to the ActiveMQ management console and API.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential exploitation attempts against ActiveMQ instances.\u003c/li\u003e\n\u003cli\u003eReview and harden the ActiveMQ configuration to minimize the attack surface and reduce the risk of exploitation.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a successful compromise of an ActiveMQ instance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T09:09:10Z","date_published":"2026-04-24T09:09:10Z","id":"/briefs/2026-04-activemq-rce-xss/","summary":"An authenticated remote attacker can exploit multiple vulnerabilities in Apache ActiveMQ to execute arbitrary program code or perform cross-site scripting attacks.","title":"Apache ActiveMQ Vulnerabilities Allow RCE and XSS","url":"https://feed.craftedsignal.io/briefs/2026-04-activemq-rce-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-33018"},{"cvss":7.1,"id":"CVE-2026-33020"},{"id":"CVE-2026-41144"}],"_cs_exploited":false,"_cs_products":["ASA","Secure Firewall Threat Defense","IOS","IOS XE","IOS XR"],"_cs_severities":["critical"],"_cs_tags":["cisco","vulnerability","rce","authentication-bypass"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eA cluster of vulnerabilities affects Cisco ASA (Adaptive Security Appliance), Cisco Secure Firewall Threat Defense, Cisco IOS, Cisco IOS XE, and Cisco IOS XR. A remote attacker, either authenticated or anonymous, can exploit these vulnerabilities to bypass authentication mechanisms and execute arbitrary code with administrator privileges. The broad scope of affected products, ranging from security appliances to core networking infrastructure, makes this a critical issue for organizations relying on Cisco technology. Successful exploitation could lead to widespread network compromise and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Cisco device (ASA, Firewall Threat Defense, IOS, IOS XE, or IOS XR).\u003c/li\u003e\n\u003cli\u003eAttacker exploits a vulnerability allowing authentication bypass.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication bypass, the attacker gains unauthorized access to the device.\u003c/li\u003e\n\u003cli\u003eAttacker leverages another vulnerability on the compromised system to inject and execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe code executes with administrator privileges, granting the attacker full control over the device.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised device as a pivot point to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eAttacker compromises additional systems and exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to complete compromise of affected Cisco devices, allowing attackers to gain full administrative control. This can result in significant data breaches, service disruptions, and the potential for lateral movement within the network to compromise other critical systems. The broad range of affected Cisco products means a wide array of organizations are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules to your SIEM and tune for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsult Cisco\u0026rsquo;s security advisories for specific vulnerability details and apply the appropriate patches or mitigations as soon as they become available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T05:43:56Z","date_published":"2026-04-24T05:43:56Z","id":"/briefs/2024-07-cisco-multiple-vulns/","summary":"Multiple vulnerabilities in Cisco ASA, Secure Firewall Threat Defense, IOS, IOS XE, and IOS XR allow a remote attacker to bypass authentication and execute arbitrary code with administrator privileges.","title":"Multiple Vulnerabilities in Cisco Products Allow for Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-07-cisco-multiple-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-34415"}],"_cs_exploited":false,"_cs_products":["Online Toolkits (\u003c= 3.15)"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-34415","rce","file-upload","web-application"],"_cs_type":"advisory","_cs_vendors":["Xerte"],"content_html":"\u003cp\u003eXerte Online Toolkits, a platform used for creating online learning materials, is vulnerable to unauthenticated remote code execution (RCE). Specifically, versions 3.15 and earlier contain an incomplete input validation vulnerability within the elFinder connector endpoint. This flaw allows an attacker to bypass existing file extension filters and upload PHP files with a \u0026lsquo;.php4\u0026rsquo; extension. Combined with authentication bypass and path traversal vulnerabilities, this can lead to arbitrary operating system command execution on the underlying server. This vulnerability, identified as CVE-2026-34415, poses a significant risk to organizations using affected versions of Xerte Online Toolkits, potentially allowing attackers to gain complete control of the web server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP request to the elFinder connector endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits an authentication bypass vulnerability to gain unauthorized access to file upload functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a path traversal vulnerability to specify a writable directory for the uploaded file.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious PHP file disguised with a \u0026lsquo;.php4\u0026rsquo; extension, bypassing the incomplete input validation.\u003c/li\u003e\n\u003cli\u003eThe server saves the malicious PHP file to the specified directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends another HTTP request to directly access the uploaded PHP file via its URL.\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP code within the uploaded file, granting the attacker arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker can now execute operating system commands on the server, potentially leading to data theft, system compromise, or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary operating system commands on the affected Xerte Online Toolkits server. Given the high CVSS score of 9.8, this vulnerability is considered critical. If exploited, an attacker could potentially gain full control of the server, leading to data breaches, defacement of the website, or the use of the compromised server as a launchpad for further attacks within the network. The number of potentially affected installations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Xerte Online Toolkits to a patched version greater than 3.15 to remediate CVE-2026-34415.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious PHP4 Uploads\u0026rdquo; to identify potential exploitation attempts by monitoring web server logs for \u0026lsquo;.php4\u0026rsquo; file uploads.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for unusual requests to PHP files located in unexpected directories, which may indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the elFinder connector endpoint that include suspicious parameters or file extensions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-xerte-rce/","summary":"Xerte Online Toolkits 3.15 and earlier contain an incomplete input validation vulnerability allowing unauthenticated attackers to upload malicious PHP code with a '.php4' extension, leading to arbitrary operating system command execution on the server.","title":"Xerte Online Toolkits Unauthenticated Remote Code Execution via File Upload","url":"https://feed.craftedsignal.io/briefs/2026-04-xerte-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2025-29635"},{"cvss":8.8,"id":"CVE-2023-1389"}],"_cs_exploited":false,"_cs_products":["DIR-823X","ZXV10 H108L"],"_cs_severities":["critical"],"_cs_tags":["mirai","ddos","rce","iot"],"_cs_type":"advisory","_cs_vendors":["D-Link","TP-Link","ZTE"],"content_html":"\u003cp\u003eA new Mirai-based malware campaign has been observed exploiting CVE-2025-29635, a high-severity command injection vulnerability affecting D-Link DIR-823X routers. Discovered by Akamai\u0026rsquo;s SIRT in March 2026, the campaign involves attackers sending malicious POST requests to vulnerable D-Link routers to execute arbitrary commands. This vulnerability allows attackers to download and execute a shell script, ultimately leading to the deployment of Mirai-based malware. The affected D-Link routers reached end-of-life in November 2024, meaning a patch is unlikely. The same actor is also exploiting CVE-2023-1389 impacting TP-Link routers, and an RCE flaw in ZTE ZXV10 H108L routers, deploying the same Mirai payload.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a POST request to the \u003ccode\u003e/goform/set_prohibiting\u003c/code\u003e endpoint on the D-Link DIR-823X router.\u003c/li\u003e\n\u003cli\u003eThe POST request exploits CVE-2025-29635 to inject and execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe injected commands change directories across writable paths on the router.\u003c/li\u003e\n\u003cli\u003eA shell script named \u003ccode\u003edlink.sh\u003c/code\u003e is downloaded from an external IP address.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edlink.sh\u003c/code\u003e script is executed on the compromised router.\u003c/li\u003e\n\u003cli\u003eThe script installs a Mirai-based malware variant named \u0026ldquo;tuxnokill\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003e\u0026ldquo;tuxnokill\u0026rdquo; establishes persistence and begins scanning for new targets.\u003c/li\u003e\n\u003cli\u003eThe compromised device is then used to launch DDoS attacks, leveraging Mirai\u0026rsquo;s standard capabilities, including TCP SYN/ACK/STOMP, UDP floods, and HTTP null attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-29635 allows attackers to remotely execute arbitrary commands on vulnerable D-Link DIR-823X routers. The compromised routers are then incorporated into the Mirai botnet, increasing its size and DDoS capabilities. Given that these routers are end-of-life, many remain unpatched, potentially leading to a large number of compromised devices. This can result in network disruptions and service outages for targeted entities, as well as potential data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for POST requests to the \u003ccode\u003e/goform/set_prohibiting\u003c/code\u003e endpoint on D-Link routers, as described in the Attack Chain, to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Mirai dlink.sh Download\u003c/code\u003e to identify attempts to download the malicious shell script.\u003c/li\u003e\n\u003cli\u003eIf using affected D-Link DIR-823X routers, TP-Link, or ZTE ZXV10 H108L routers, upgrade to a supported device or implement network segmentation to limit potential damage.\u003c/li\u003e\n\u003cli\u003eBlock the external IP address hosting the \u003ccode\u003edlink.sh\u003c/code\u003e script if it can be reliably determined and is observed on your network.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-mirai-dlink-rce/","summary":"A new Mirai-based malware campaign is exploiting CVE-2025-29635, a command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet.","title":"Mirai Campaign Exploiting CVE-2025-29635 in D-Link Routers","url":"https://feed.craftedsignal.io/briefs/2026-04-mirai-dlink-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.5,"id":"CVE-2026-39974"}],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["critical"],"_cs_tags":["n8n","vulnerability","sqli","xss","rce","session-hijacking"],"_cs_type":"advisory","_cs_vendors":["n8n"],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in n8n, a workflow automation tool. An attacker exploiting these vulnerabilities could achieve a range of malicious outcomes, including remote code execution, security bypass, information disclosure, SQL injection, denial-of-service, cross-site scripting (XSS), malicious redirection, and session hijacking. The vulnerabilities stem from insufficient input validation, insecure configurations, or design flaws within the n8n application. Successful exploitation can lead to complete compromise of the n8n instance and potentially the underlying system, depending on the permissions of the n8n process. This poses a significant risk to organizations relying on n8n for critical business processes. Defenders need to implement robust security measures to mitigate these risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eGiven the broad range of potential vulnerabilities, a generalized attack chain is outlined below:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies a vulnerable n8n instance, potentially through Shodan or similar tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification:\u003c/strong\u003e The attacker probes the n8n instance to identify specific exploitable vulnerabilities, such as those related to SQL injection or XSS.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation (SQL Injection):\u003c/strong\u003e The attacker crafts malicious SQL queries through user input fields or API calls to extract sensitive data from the n8n database, such as user credentials or API keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation (XSS):\u003c/strong\u003e The attacker injects malicious JavaScript code into n8n workflows or data fields. When other users interact with the affected workflows or data, the JavaScript code executes in their browsers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Lateral Movement:\u003c/strong\u003e The attacker leverages the compromised credentials or XSS vulnerabilities to gain elevated privileges within the n8n instance or move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution:\u003c/strong\u003e The attacker exploits a vulnerability that allows for the execution of arbitrary code on the server. This could be achieved through insecure file uploads, deserialization flaws, or command injection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence by creating new n8n workflows or modifying existing ones to execute malicious code on a recurring basis.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker exfiltrates sensitive data, disrupts critical business processes by manipulating or deleting workflows, or uses the compromised system as a foothold for further attacks within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could result in significant damage, depending on the attacker\u0026rsquo;s objectives. The potential impact includes data breaches, financial losses, service disruptions, and reputational damage. If sensitive data is exfiltrated, it could be used for identity theft, fraud, or other malicious purposes. Disruption of critical workflows can lead to business downtime and lost productivity. The lack of specific victim counts or sector targeting in the source data makes it difficult to quantify the impact precisely, but the broad range of potential vulnerabilities and their potential consequences warrant immediate attention.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rules to detect potential exploitation attempts targeting n8n instances (see \u0026ldquo;Descriptive Detection Rule Name\u0026rdquo; in the \u003ccode\u003erules\u003c/code\u003e section).\u003c/li\u003e\n\u003cli\u003eConduct regular security audits and penetration testing of n8n instances to identify and remediate vulnerabilities before they can be exploited.\u003c/li\u003e\n\u003cli\u003eEnforce strict input validation and sanitization measures to prevent SQL injection and XSS attacks.\u003c/li\u003e\n\u003cli\u003eApply the principle of least privilege to limit the permissions of the n8n process and users.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity related to n8n instances, such as unusual API calls or connections to malicious domains.\u003c/li\u003e\n\u003cli\u003eRegularly review and update n8n workflows to ensure they are secure and do not contain any malicious code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T10:23:56Z","date_published":"2026-04-23T10:23:56Z","id":"/briefs/2026-04-n8n-multiple-vulnerabilities/","summary":"Multiple vulnerabilities in n8n can be exploited by an attacker to execute arbitrary code, bypass security measures, disclose sensitive information, conduct SQL injection attacks, cause denial-of-service, perform cross-site scripting, redirect users, or hijack sessions.","title":"Multiple Vulnerabilities in n8n Workflow Automation Tool","url":"https://feed.craftedsignal.io/briefs/2026-04-n8n-multiple-vulnerabilities/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5935"}],"_cs_exploited":false,"_cs_products":["Total Storage Service Console","TS4500 IMC"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5935","rce","command injection"],"_cs_type":"advisory","_cs_vendors":["IBM"],"content_html":"\u003cp\u003eCVE-2026-5935 describes a critical vulnerability affecting IBM Total Storage Service Console (TSSC) / TS4500 IMC software. Specifically, versions 9.2, 9.3, 9.4, 9.5, and 9.6 are susceptible to unauthenticated remote command execution. The vulnerability stems from insufficient validation of user-supplied input, allowing an attacker to inject and execute arbitrary commands on the system. Successful exploitation grants the attacker normal user privileges. This vulnerability poses a significant risk as it allows attackers to compromise the system without authentication, potentially leading to data breaches, system disruption, or further lateral movement within the network. Defenders should prioritize patching or mitigating this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable IBM Total Storage Service Console (TSSC) / TS4500 IMC instance running versions 9.2, 9.3, 9.4, 9.5, or 9.6.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request containing an OS command injection payload. This payload is designed to exploit the improper input validation within the TSSC/IMC software.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted request to the vulnerable TSSC/IMC instance, targeting a specific endpoint or function susceptible to command injection.\u003c/li\u003e\n\u003cli\u003eThe TSSC/IMC software processes the request without proper validation, passing the malicious payload to the underlying operating system.\u003c/li\u003e\n\u003cli\u003eThe operating system executes the injected command with the privileges of a normal user account.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to execute arbitrary commands on the system, potentially allowing them to read sensitive files, modify configurations, or install malicious software.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage their initial access to escalate privileges, move laterally within the network, or establish persistent access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5935 allows an unauthenticated attacker to execute arbitrary commands on the affected IBM Total Storage Service Console (TSSC) / TS4500 IMC system. This can lead to complete system compromise, data breaches, and disruption of services. The impact could range from unauthorized access to sensitive data to the deployment of ransomware, depending on the attacker\u0026rsquo;s objectives and the level of access achieved after exploitation. Due to the lack of authentication requirement, the vulnerability is highly critical.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a fixed version of IBM Total Storage Service Console (TSSC) / TS4500 IMC as outlined in the IBM advisory (\u003ca href=\"https://www.ibm.com/support/pages/node/7270127\"\u003ehttps://www.ibm.com/support/pages/node/7270127\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect command execution via web requests targeting TSSC/IMC.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius of a potential compromise of the TSSC/IMC system.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T00:16:46Z","date_published":"2026-04-23T00:16:46Z","id":"/briefs/2026-04-ibm-tssc-rce/","summary":"An unauthenticated user can execute arbitrary commands with normal user privileges on vulnerable IBM Total Storage Service Console (TSSC) / TS4500 IMC versions due to improper validation of user-supplied input, as identified by CVE-2026-5935.","title":"IBM Total Storage Service Console (TSSC) / TS4500 IMC Unauthenticated Remote Command Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-ibm-tssc-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ci4-cms-erp/ci4ms"],"_cs_severities":["critical"],"_cs_tags":["zip-slip","rce","code-injection","vulnerability"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eA Zip Slip vulnerability exists in the CI4MS backup restore functionality. Authenticated users with backup creation permissions can exploit this by uploading a specially crafted ZIP archive. The vulnerability lies in the \u003ccode\u003eBackup::restore\u003c/code\u003e function (modules/Backup/Controllers/Backup.php), where the application extracts the uploaded ZIP without proper validation of the entry names. This allows an attacker to write files to arbitrary locations, including the public web root, leading to remote code execution (RCE). This vulnerability affects CI4MS versions prior to 0.31.5.0. By crafting a ZIP file with malicious paths, attackers can bypass intended directory restrictions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user with \u003ccode\u003ecreate\u003c/code\u003e role accesses the vulnerable \u003ccode\u003e/backend/backup/restore\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a PHP file (e.g., \u003ccode\u003eshell.php\u003c/code\u003e) with a path traversing outside the intended extraction directory (e.g., \u003ccode\u003e../../public/shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious ZIP archive via the \u003ccode\u003ebackup_file\u003c/code\u003e parameter in a POST request.\u003c/li\u003e\n\u003cli\u003eThe server moves the uploaded ZIP file to \u003ccode\u003eWRITEPATH . 'uploads/'\u003c/code\u003e without sanitizing or validating the ZIP entry names.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eZipArchive::extractTo()\u003c/code\u003e function is called on the uploaded ZIP, extracting the malicious file to the specified path \u003ccode\u003e../../public/shell.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe PHP file is written to the web root, allowing for remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the injected PHP code by sending a request to \u003ccode\u003e/shell.php?c=id\u003c/code\u003e, executing arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control over the compromised server, including access to sensitive data and the ability to further compromise the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to achieve remote code execution (RCE) on the CI4MS server. This can lead to full compromise of the installation, including the database credentials stored in \u003ccode\u003e.env\u003c/code\u003e and any other sensitive data handled by the site. Because the affected route is in the \u003ccode\u003ecsrfExcept\u003c/code\u003e list, this vulnerability can be triggered cross-site against a logged-in administrator, potentially leading to drive-by RCE against site operators. The vulnerability affects versions of \u003ccode\u003ecomposer/ci4-cms-erp/ci4ms\u003c/code\u003e prior to \u003ccode\u003e0.31.5.0\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ecomposer/ci4-cms-erp/ci4ms\u003c/code\u003e to version 0.31.5.0 or later to patch the vulnerability as described in GHSA-xp9f-pvvc-57p4.\u003c/li\u003e\n\u003cli\u003eImplement server-side validation of uploaded ZIP archive entry names to prevent path traversal vulnerabilities. Specifically, validate the file paths extracted from the ZIP archive before calling \u003ccode\u003eextractTo()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CI4MS Zip Slip via Web Request\u003c/code\u003e to identify potential exploitation attempts by monitoring HTTP requests to the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and monitor for suspicious file creations, especially in web-accessible directories, after ZIP archive uploads, based on the attack chain described above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T17:28:39Z","date_published":"2026-04-22T17:28:39Z","id":"/briefs/2024-01-09-ci4ms-zip-slip/","summary":"The CI4MS Backup restore function is vulnerable to Zip Slip, allowing remote code execution by uploading a malicious ZIP archive that writes PHP files to the public web root due to missing validation of entry names during extraction, affecting versions prior to 0.31.5.0.","title":"CI4MS Backup Restore Zip Slip Vulnerability Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2024-01-09-ci4ms-zip-slip/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-32613"},{"cvss":9.9,"id":"CVE-2026-32604"}],"_cs_exploited":false,"_cs_products":["Spinnaker"],"_cs_severities":["critical"],"_cs_tags":["rce","vulnerability","spinnaker"],"_cs_type":"advisory","_cs_vendors":["Spinnaker"],"content_html":"\u003cp\u003eTwo critical remote code execution (RCE) vulnerabilities, CVE-2026-32613 and CVE-2026-32604, have been discovered in Spinnaker, an open-source multi-cloud continuous delivery platform. These vulnerabilities stem from insufficient input validation and sanitization. CVE-2026-32613 relates to expression parsing, allowing for the execution of malicious expressions via untrusted input in pipeline expressions. CVE-2026-32604 arises from improper handling of gitrepo artifact types, specifically regarding the sanitization of user-controlled input like branch names and file paths. An attacker with pipeline configuration access can exploit these flaws to achieve arbitrary code execution on the affected system. The Centre for Cybersecurity Belgium (CCB) strongly advises immediate patching and enhanced monitoring.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to Spinnaker pipeline configuration, either through compromised credentials or exploiting a separate authentication vulnerability.\u003c/li\u003e\n\u003cli\u003eFor CVE-2026-32613, the attacker injects a malicious expression into a pipeline configuration, leveraging the insufficient input validation in expression parsing.\u003c/li\u003e\n\u003cli\u003eFor CVE-2026-32604, the attacker crafts a malicious gitrepo artifact definition within a Spinnaker pipeline, specifying a branch name or file path containing injected code.\u003c/li\u003e\n\u003cli\u003eThe Spinnaker pipeline is triggered, either manually or automatically based on configured triggers.\u003c/li\u003e\n\u003cli\u003eDuring pipeline execution, the malicious expression (CVE-2026-32613) or gitrepo artifact (CVE-2026-32604) is processed.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed within the context of the Spinnaker service, gaining the privileges of the Spinnaker process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to establish persistence, move laterally within the network, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is achieved, such as complete system compromise, data breach, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32613 or CVE-2026-32604 allows an attacker to execute arbitrary code on the Spinnaker server, potentially leading to complete system compromise. This could result in the theft of sensitive credentials, modification of deployment pipelines, deployment of malicious code to production environments, and disruption of critical services. Given Spinnaker\u0026rsquo;s role in continuous delivery, a successful attack can have a wide-ranging impact on the organization\u0026rsquo;s software development lifecycle.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch Spinnaker to the latest version to remediate CVE-2026-32613 and CVE-2026-32604 as recommended by the CCB.\u003c/li\u003e\n\u003cli\u003eUpscale monitoring and detection capabilities to identify any suspicious activity related to these vulnerabilities, as suggested by the CCB.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization measures for all user-controlled input within Spinnaker pipeline configurations to prevent future exploitation of similar vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T14:46:46Z","date_published":"2026-04-22T14:46:46Z","id":"/briefs/2026-04-spinnaker-rce/","summary":"Critical vulnerabilities CVE-2026-32613 and CVE-2026-32604 in Spinnaker allow authenticated attackers to execute arbitrary code due to insufficient input validation in expression parsing and gitrepo artifact handling, potentially leading to complete system compromise.","title":"Critical RCE Vulnerabilities in Spinnaker","url":"https://feed.craftedsignal.io/briefs/2026-04-spinnaker-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-4132"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","rce","plugin","cve-2026-4132"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe HTTP Headers plugin for WordPress, versions up to and including 1.19.2, is vulnerable to remote code execution (RCE) due to a file path manipulation vulnerability (CVE-2026-4132). This vulnerability stems from the plugin\u0026rsquo;s insufficient validation of the \u0026lsquo;hh_htpasswd_path\u0026rsquo; option, which controls the location of the .htpasswd file. Furthermore, the \u0026lsquo;hh_www_authenticate_user\u0026rsquo; option, used for setting the username for HTTP Basic Authentication, lacks proper sanitization. This allows attackers with administrator privileges to specify an arbitrary file path for the htpasswd file and inject unsanitized content into it. By crafting a malicious username containing PHP code and setting the htpasswd path to a web-accessible directory, an attacker can execute arbitrary code on the server. This exploit requires administrator-level access to the WordPress dashboard.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the WordPress dashboard with administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the HTTP Headers plugin settings page.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u0026lsquo;hh_htpasswd_path\u0026rsquo; option, setting it to a web-accessible directory (e.g., \u003ccode\u003e/var/www/html/wp-content/uploads/.shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u0026lsquo;hh_www_authenticate_user\u0026rsquo; option, injecting PHP code into the username field (e.g., \u003ccode\u003e\u0026lt;?php system($_GET['cmd']); ?\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eapache_auth_credentials()\u003c/code\u003e function uses sprintf to combine the malicious username with a SHA hash, creating a crafted htpasswd entry.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eupdate_auth_credentials()\u003c/code\u003e function then writes the crafted content, including the injected PHP code, to the attacker-controlled file path using \u003ccode\u003efile_put_contents()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the newly created PHP file via a web browser (e.g., \u003ccode\u003ehttp://example.com/wp-content/uploads/.shell.php?cmd=id\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe injected PHP code executes, allowing the attacker to run arbitrary commands on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants the attacker remote code execution on the affected WordPress server. This can lead to complete compromise of the server, including data theft, website defacement, malware deployment, and further attacks against internal networks. Given the widespread use of WordPress and its plugins, a successful exploit could impact a large number of websites and organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the HTTP Headers plugin to a patched version (if available) to remediate CVE-2026-4132.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to unusual file paths that match the \u0026lsquo;hh_htpasswd_path\u0026rsquo; setting specified in the plugin configuration to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule to detect file creation events in web-accessible directories with PHP extensions that are triggered by the web server process.\u003c/li\u003e\n\u003cli\u003eRestrict access to the WordPress administrator dashboard to only trusted individuals and enforce strong password policies to prevent unauthorized access to plugin settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T09:16:24Z","date_published":"2026-04-22T09:16:24Z","id":"/briefs/2026-04-wordpress-http-headers-rce/","summary":"The HTTP Headers WordPress plugin is vulnerable to remote code execution (RCE) due to insufficient validation of the htpasswd file path and lack of sanitization of the username, allowing authenticated administrators to write arbitrary code to the server.","title":"WordPress HTTP Headers Plugin Remote Code Execution via File Path Manipulation (CVE-2026-4132)","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-http-headers-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-6023"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6023","telerik","deserialization","rce","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6023 exposes a critical vulnerability within the RadFilter control of Progress Telerik UI for AJAX. Affecting versions 2024.4.1114 to 2026.1.421, this flaw stems from insecure deserialization practices. The vulnerability arises when the filter state is exposed to the client, enabling malicious actors to manipulate this state. Successful exploitation grants attackers the ability to execute arbitrary code on the server. This vulnerability poses a significant risk to organizations utilizing the affected Telerik UI for AJAX versions, potentially leading to complete system compromise and data breaches. Defenders must promptly address this issue through patching or mitigation strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a web application utilizing a vulnerable version of Progress Telerik UI for AJAX (2024.4.1114 - 2026.1.421) with the RadFilter control enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker observes the RadFilter control\u0026rsquo;s behavior, specifically how filter states are serialized and exposed to the client-side, typically within the HTTP request or response.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the serialized filter state data, often Base64 encoded or similar, transmitted between the client and server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious serialized payload containing instructions to execute arbitrary code on the server. This involves exploiting the insecure deserialization process.\u003c/li\u003e\n\u003cli\u003eThe attacker replaces the original, legitimate serialized filter state with the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the modified request containing the malicious serialized data to the server.\u003c/li\u003e\n\u003cli\u003eThe Telerik UI for AJAX application on the server attempts to deserialize the tampered data using the RadFilter control.\u003c/li\u003e\n\u003cli\u003eDue to the insecure deserialization vulnerability, the malicious payload is executed, granting the attacker remote code execution on the server. The attacker can then perform actions such as installing malware, exfiltrating sensitive data, or disrupting services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6023 can lead to complete compromise of the affected server. An attacker can gain remote code execution, enabling them to install malware, steal sensitive data, or disrupt critical business operations. Given the widespread use of Telerik UI in enterprise applications, this vulnerability could potentially impact a large number of organizations across various sectors. Unpatched systems are at high risk of being exploited, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Progress Telerik UI for AJAX to a patched version outside the range of 2024.4.1114 through 2026.1.421 to remediate CVE-2026-6023.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Telerik RadFilter Deserialization Attempt\u003c/code\u003e to identify attempts to exploit the deserialization vulnerability by monitoring for suspicious HTTP requests targeting the RadFilter control (Log source: webserver).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the server-side to prevent malicious data from being deserialized.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to the RadFilter control, such as requests with abnormally large or malformed serialized data (Log source: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T08:16:13Z","date_published":"2026-04-22T08:16:13Z","id":"/briefs/2026-04-telerik-rce/","summary":"An insecure deserialization vulnerability exists in Progress Telerik UI for AJAX's RadFilter control (versions 2024.4.1114 through 2026.1.421) allowing remote code execution via tampering with the filter state exposed to the client.","title":"Insecure Deserialization Vulnerability in Telerik UI for AJAX RadFilter Control (CVE-2026-6023)","url":"https://feed.craftedsignal.io/briefs/2026-04-telerik-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.3,"id":"CVE-2026-41064"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-41064","avideo","rce","command-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWWBN AVideo, an open-source video platform, is vulnerable to an unauthenticated remote code execution (RCE) flaw. This vulnerability, identified as CVE-2026-41064, exists in versions up to and including 29.0. The root cause is an incomplete fix applied to the \u003ccode\u003etest.php\u003c/code\u003e file. While the fix implemented \u003ccode\u003eescapeshellarg\u003c/code\u003e for the \u003ccode\u003ewget\u003c/code\u003e command, it neglected to sanitize input for the \u003ccode\u003efile_get_contents\u003c/code\u003e and \u003ccode\u003ecurl\u003c/code\u003e code paths. Additionally, the URL validation regex \u003ccode\u003e/^http/\u003c/code\u003e is overly permissive, accepting malicious strings such as \u003ccode\u003ehttpevil[.]com\u003c/code\u003e. Successful exploitation allows attackers to execute arbitrary commands on the server hosting the AVideo platform. The recommended remediation is to apply the updated fix detailed in commit 78bccae74634ead68aa6528d631c9ec4fd7aa536.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a crafted HTTP request to the \u003ccode\u003etest.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a malicious URL, designed to exploit the insufficient input validation in the \u003ccode\u003efile_get_contents\u003c/code\u003e or \u003ccode\u003ecurl\u003c/code\u003e code paths. For example, using \u003ccode\u003ehttpevil[.]com\u003c/code\u003e to bypass the regex check \u003ccode\u003e/^http/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etest.php\u003c/code\u003e script processes the request, attempting to retrieve content from the attacker-controlled URL using either \u003ccode\u003efile_get_contents\u003c/code\u003e or \u003ccode\u003ecurl\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper sanitization, the malicious URL is interpreted as an OS command.\u003c/li\u003e\n\u003cli\u003eThe server executes the attacker-supplied OS command.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the AVideo server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform various malicious activities, such as installing malware, stealing sensitive data, or pivoting to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-41064) grants unauthenticated attackers the ability to execute arbitrary code on the affected AVideo server. This can lead to complete compromise of the server, including data theft, defacement, or use as a staging ground for further attacks. Given the platform\u0026rsquo;s use in video hosting, successful attacks could impact numerous users and content creators relying on the vulnerable AVideo instance. The vulnerable regex \u003ccode\u003e/^http/\u003c/code\u003e and unsanitized functions leave the server open to mass exploitation if exposed to the public internet.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the updated fix detailed in commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 to fully address the input validation issue in \u003ccode\u003etest.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AVideo test.php Command Injection Attempt\u0026rdquo; to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003etest.php\u003c/code\u003e containing suspicious URLs, especially those matching the \u003ccode\u003ehttpevil[.]com\u003c/code\u003e pattern as documented in the IOCs.\u003c/li\u003e\n\u003cli\u003eImplement a more robust URL validation mechanism that properly sanitizes input before passing it to \u003ccode\u003efile_get_contents\u003c/code\u003e or \u003ccode\u003ecurl\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T00:16:28Z","date_published":"2026-04-22T00:16:28Z","id":"/briefs/2026-04-avideo-rce/","summary":"WWBN AVideo versions up to 29.0 contain an OS Command Injection vulnerability (CVE-2026-41064) in the `test.php` file, allowing unauthenticated remote code execution due to insufficient input sanitization, especially affecting `file_get_contents` and `curl` code paths.","title":"WWBN AVideo Unauthenticated Remote Code Execution via test.php","url":"https://feed.craftedsignal.io/briefs/2026-04-avideo-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6249"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6249","rce","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eVvveb CMS version 1.0.8 is susceptible to a remote code execution (RCE) vulnerability (CVE-2026-6249) due to insufficient input validation in the media upload handler. An authenticated attacker can exploit this flaw by uploading a malicious PHP webshell disguised with a \u003ccode\u003e.phtml\u003c/code\u003e extension, which bypasses the server\u0026rsquo;s intended extension deny-list. The uploaded webshell is then accessible within the publicly available media directory. By crafting a specific HTTP request to access the uploaded \u003ccode\u003e.phtml\u003c/code\u003e file, the attacker can trigger the execution of arbitrary operating system commands on the server, leading to a complete compromise of the system. This vulnerability poses a significant threat to organizations utilizing Vvveb CMS 1.0.8, potentially enabling attackers to steal sensitive data, disrupt services, or establish a persistent foothold within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the Vvveb CMS 1.0.8 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the media upload functionality within the CMS.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious PHP webshell file, named with a \u003ccode\u003e.phtml\u003c/code\u003e extension, crafted to execute operating system commands.\u003c/li\u003e\n\u003cli\u003eThe CMS stores the uploaded \u003ccode\u003e.phtml\u003c/code\u003e file in the publicly accessible media directory.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request targeting the uploaded \u003ccode\u003e.phtml\u003c/code\u003e file in the media directory.\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP code within the \u003ccode\u003e.phtml\u003c/code\u003e file upon receiving the attacker\u0026rsquo;s HTTP request.\u003c/li\u003e\n\u003cli\u003eThe PHP code executes arbitrary operating system commands, as defined by the attacker in the webshell.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control of the server, potentially leading to data theft, service disruption, or persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6249 allows an attacker to execute arbitrary operating system commands on the Vvveb CMS server. This could lead to a full compromise of the system, including the theft of sensitive data stored in the CMS database, modification of website content, or the deployment of malicious software. Organizations using Vvveb CMS 1.0.8 are at risk of data breaches, financial losses, and reputational damage if this vulnerability is exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Vvveb CMS to a patched version that addresses CVE-2026-6249.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization on all file upload functionalities to prevent the upload of malicious files.\u003c/li\u003e\n\u003cli\u003eConfigure the web server to prevent the execution of PHP code within the media directory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious PHTML Request\u003c/code\u003e to identify attempts to access \u003ccode\u003e.phtml\u003c/code\u003e files in the media directory.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests targeting unusual file extensions in media directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T12:00:00Z","date_published":"2026-04-21T12:00:00Z","id":"/briefs/2026-04-vvveb-rce/","summary":"Vvveb CMS 1.0.8 is vulnerable to remote code execution, allowing authenticated attackers to upload a PHP webshell with a .phtml extension, bypass extension restrictions, and execute arbitrary operating system commands by requesting the uploaded file.","title":"Vvveb CMS 1.0.8 Remote Code Execution via Malicious Upload","url":"https://feed.craftedsignal.io/briefs/2026-04-vvveb-rce/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-23500"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","dolibarr"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDolibarr, a popular open-source ERP and CRM system, is susceptible to OS Command Injection (RCE) in versions up to 22.0.4. This vulnerability, identified as CVE-2026-23500, stems from insufficient validation of the \u003ccode\u003eMAIN_ODT_AS_PDF\u003c/code\u003e configuration setting. An attacker with administrative privileges can inject malicious commands into this setting, which are then executed by the server during ODT to PDF conversion processes. The vulnerability resides in \u003ccode\u003ehtdocs/includes/odtphp/odf.php\u003c/code\u003e, where the application constructs a shell command using the unfiltered \u003ccode\u003eMAIN_ODT_AS_PDF\u003c/code\u003e value. Successful exploitation enables arbitrary command execution on the server, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains administrative access to the Dolibarr instance, either through credential compromise or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026ldquo;Home -\u0026gt; Setup -\u0026gt; Other Setup\u0026rdquo; section of the Dolibarr administration panel.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eMAIN_ODT_AS_PDF\u003c/code\u003e configuration constant. The injected payload includes a command separator (\u003ccode\u003e;\u003c/code\u003e) followed by the malicious command. The example uses \u003ccode\u003ejodconverter; echo \u0026lt;base64_encoded_command\u0026gt; | base64 -d | bash\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026ldquo;Commerce -\u0026gt; New proposal\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new proposal in draft status and selects an ODT template.\u003c/li\u003e\n\u003cli\u003eThe attacker clicks the \u0026ldquo;Generate\u0026rdquo; button, triggering the ODT to PDF conversion process.\u003c/li\u003e\n\u003cli\u003eThe application executes the crafted shell command, resulting in command execution.\u003c/li\u003e\n\u003cli\u003eIn the proof of concept, the attacker establishes a reverse shell connection to their specified IP address (172.26.0.1) and port (4445), gaining interactive shell access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker with administrator privileges to execute arbitrary commands on the underlying server as the web server user. This can lead to the compromise of sensitive data, modification of application files, and potentially full system compromise. The observed impact includes the establishment of a reverse shell, granting the attacker complete control over the Dolibarr instance. This vulnerability affects Dolibarr installations up to version 22.0.4.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Dolibarr to a patched version beyond 22.0.4 to remediate CVE-2026-23500.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for commands executed with suspicious arguments in \u003ccode\u003eMAIN_ODT_AS_PDF\u003c/code\u003e by deploying the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to unusual external IP addresses originating from the web server, especially following events related to document generation. Block the C2 IP address \u003ccode\u003e172.26.0.1\u003c/code\u003e listed in the IOC table at the network perimeter.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and regularly audit administrator accounts to prevent unauthorized access to the Dolibarr configuration settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-dolibarr-rce/","summary":"Dolibarr versions 22.0.4 and earlier are vulnerable to OS Command Injection via the MAIN_ODT_AS_PDF configuration, allowing an authenticated administrator to inject a malicious payload, leading to arbitrary operating system command execution.","title":"Dolibarr OS Command Injection via MAIN_ODT_AS_PDF Configuration","url":"https://feed.craftedsignal.io/briefs/2026-04-dolibarr-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-40066"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-40066","rce","iot"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Anviz CX2 Lite and CX7 devices are susceptible to a critical vulnerability (CVE-2026-40066) stemming from the lack of integrity checks on update packages. An attacker can upload a crafted update package to the device. The vulnerable devices then unpack the contents of this package and execute a script without proper authentication or verification. This leads to unauthenticated remote code execution, potentially allowing the attacker to gain complete control over the compromised device. The vulnerability was reported by ICS-CERT and assigned a CVSS v3.1 base score of 8.8, indicating a high severity. Successful exploitation of this vulnerability allows an attacker to perform any action on the device, including stealing data, installing malware, or using the device as a foothold for further attacks on the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an Anviz CX2 Lite or CX7 device accessible on the network.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious update package containing a script designed for remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious update package to the device\u0026rsquo;s update interface. Due to the vulnerability, this upload may not require authentication.\u003c/li\u003e\n\u003cli\u003eThe device unpacks the contents of the update package, including the malicious script.\u003c/li\u003e\n\u003cli\u003eThe device executes the script without proper verification or sanitization.\u003c/li\u003e\n\u003cli\u003eThe malicious script executes arbitrary commands on the device.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote shell access to the device.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised device to move laterally within the network or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40066 results in unauthenticated remote code execution on the affected Anviz CX2 Lite and CX7 devices. This can lead to complete compromise of the device, allowing attackers to steal sensitive data, install malware, or use the device as a pivot point to gain access to other systems on the network. Given the potential for widespread deployment of these devices in various sectors, the impact could be significant, affecting many organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates from Anviz to address CVE-2026-40066.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity related to Anviz devices attempting to download or install update packages, and deploy the network connection rule below.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a compromised Anviz device on other systems.\u003c/li\u003e\n\u003cli\u003eMonitor process creation on Anviz devices for unusual or unexpected processes, and deploy the process creation rule below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T20:16:35Z","date_published":"2026-04-17T20:16:35Z","id":"/briefs/2026-04-anviz-rce/","summary":"Anviz CX2 Lite and CX7 devices are vulnerable to unverified update packages that allow for unauthenticated remote code execution by unpacking and executing a malicious script.","title":"Anviz CX2 Lite and CX7 Unauthenticated Remote Code Execution via Unverified Update Packages (CVE-2026-40066)","url":"https://feed.craftedsignal.io/briefs/2026-04-anviz-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-3464"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","file-read","file-deletion","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe WP Customer Area plugin, a popular WordPress plugin, is susceptible to an arbitrary file read and deletion vulnerability. This flaw, identified as CVE-2026-3464, resides within the \u0026lsquo;ajax_attach_file\u0026rsquo; function and stems from inadequate file path validation. All versions of the plugin up to and including 8.3.4 are affected. The vulnerability enables authenticated attackers with minimal privileges (e.g., Subscriber), granted access by an administrator, to read arbitrary files on the server, potentially exposing sensitive data. Attackers can also delete arbitrary files, which, in certain cases (such as deleting \u003ccode\u003ewp-config.php\u003c/code\u003e), can pave the way for remote code execution. This vulnerability poses a significant risk to WordPress websites utilizing the WP Customer Area plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to a WordPress site with the WP Customer Area plugin enabled, with privileges granted by an administrator (e.g., as a Subscriber).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u0026lsquo;ajax_attach_file\u0026rsquo; function.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated file path, bypassing input validation.\u003c/li\u003e\n\u003cli\u003eThe plugin, failing to properly sanitize the file path, attempts to read or delete the file specified in the malicious request.\u003c/li\u003e\n\u003cli\u003eIf reading, the contents of the targeted file are returned to the attacker in the HTTP response.\u003c/li\u003e\n\u003cli\u003eIf deleting, the targeted file is removed from the server.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets a sensitive file, such as \u003ccode\u003ewp-config.php\u003c/code\u003e, and successfully deletes it, the WordPress installation becomes unstable and potentially allows for re-installation and control by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the instability to achieve remote code execution, potentially installing a web shell or other malicious code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-3464) allows attackers to read sensitive files, potentially including database credentials, API keys, and other confidential information. Moreover, the ability to delete arbitrary files can lead to denial-of-service conditions or, more critically, remote code execution. The number of affected websites is potentially large, given the popularity of the WP Customer Area plugin. A successful attack can result in complete compromise of the WordPress website and its underlying server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WP Customer Area plugin to a version greater than 8.3.4 to patch CVE-2026-3464.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing suspicious file paths targeting the \u0026lsquo;ajax_attach_file\u0026rsquo; function (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement stricter file path validation on the web server to prevent arbitrary file access.\u003c/li\u003e\n\u003cli\u003eApply the provided Sigma rules to your SIEM to detect and alert on malicious attempts to exploit this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T17:17:07Z","date_published":"2026-04-17T17:17:07Z","id":"/briefs/2026-04-wp-customer-area-file-read-delete/","summary":"The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation, allowing authenticated attackers to read sensitive files or delete critical files leading to potential remote code execution.","title":"WP Customer Area Plugin Arbitrary File Read and Deletion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-wp-customer-area-file-read-delete/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2025-61687"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["flowiseai","file-upload","rce","web-shell"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFlowiseAI, a low-code platform for building AI applications, contains a file upload validation bypass vulnerability. By modifying the Chatflow configuration, specifically the \u003ccode\u003eallowedUploadFileTypes\u003c/code\u003e setting, an attacker can add \u003ccode\u003eapplication/javascript\u003c/code\u003e as an accepted MIME type. This bypasses previous mitigations (CVE-2025-61687) intended to prevent the upload of potentially malicious files. Although the frontend UI restricts JavaScript uploads, a direct API request can circumvent this. Successful exploitation allows attackers to persistently store Node.js web shells (e.g., shell.js) on the Flowise server. This vulnerability affects FlowiseAI versions up to 3.0.13. If executed, these web shells could grant the attacker Remote Code Execution (RCE) capabilities on the server, posing a significant risk to system integrity and data confidentiality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable FlowiseAI instance running a version \u0026lt;= 3.0.13.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the FlowiseAI instance as an administrator or with compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP PUT request to the \u003ccode\u003e/api/v1/chatflows/{CHATFLOW_ID}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe PUT request modifies the Chatflow configuration, specifically the \u003ccode\u003echatbotConfig\u003c/code\u003e to include \u003ccode\u003eapplication/javascript\u003c/code\u003e in the \u003ccode\u003eallowedUploadFileTypes\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003e/api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID}\u003c/code\u003e endpoint to upload a \u003ccode\u003e.js\u003c/code\u003e file (Node.js web shell), such as the \u003ccode\u003eshell.js\u003c/code\u003e example.\u003c/li\u003e\n\u003cli\u003eThe server saves the malicious \u003ccode\u003e.js\u003c/code\u003e file to a publicly accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded \u003ccode\u003e.js\u003c/code\u003e file via a direct HTTP request.\u003c/li\u003e\n\u003cli\u003eThe web shell executes commands specified in the URL parameters, such as \u003ccode\u003ehttp://localhost:8888/?cmd=id\u003c/code\u003e, resulting in RCE.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to upload and persistently store malicious web shells on the FlowiseAI server. Execution of these web shells grants the attacker the ability to execute arbitrary commands on the underlying system. This can lead to complete system compromise, data exfiltration, and denial of service. This vulnerability affects FlowiseAI versions up to 3.0.13.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization to prevent modification of \u003ccode\u003eallowedUploadFileTypes\u003c/code\u003e settings.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for PUT requests to \u003ccode\u003e/api/v1/chatflows/{CHATFLOW_ID}\u003c/code\u003e modifying \u003ccode\u003eallowedUploadFileTypes\u003c/code\u003e as described in the attack chain.\u003c/li\u003e\n\u003cli\u003eMonitor for POST requests to \u003ccode\u003e/api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID}\u003c/code\u003e uploading \u003ccode\u003e.js\u003c/code\u003e files based on the attack chain.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect suspicious HTTP requests indicative of this attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T14:00:00Z","date_published":"2026-04-17T14:00:00Z","id":"/briefs/2026-04-17-flowise-upload-bypass/","summary":"A file upload validation bypass vulnerability exists in FlowiseAI, where the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type, enabling an attacker to upload .js files, store malicious Node.js web shells on the server, and potentially achieve Remote Code Execution (RCE).","title":"FlowiseAI File Upload Validation Bypass Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-04-17-flowise-upload-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41113"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["qmail","rce","command-injection","CVE-2026-41113"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eSagredo qmail, a mail transfer agent (MTA), is vulnerable to a remote code execution (RCE) flaw, identified as CVE-2026-41113.  Specifically, versions prior to 2026.04.07 are affected. The vulnerability lies in the \u003ccode\u003enotlshosts_auto\u003c/code\u003e function within the \u003ccode\u003eqmail-remote.c\u003c/code\u003e file, where the \u003ccode\u003epopen\u003c/code\u003e function is used without proper sanitization, potentially allowing an attacker to inject and execute arbitrary OS commands. This vulnerability could be exploited by a remote attacker without requiring authentication, making it a critical security concern for organizations utilizing the affected qmail versions. Defenders should prioritize patching and consider implementing mitigations to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends an email to a target qmail server.\u003c/li\u003e\n\u003cli\u003eThe qmail server receives the email and processes the recipient address.\u003c/li\u003e\n\u003cli\u003eDuring the delivery process, \u003ccode\u003eqmail-remote.c\u003c/code\u003e is invoked to handle remote delivery.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enotlshosts_auto\u003c/code\u003e function is called within \u003ccode\u003eqmail-remote.c\u003c/code\u003e to determine if TLS should be used for the connection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enotlshosts_auto\u003c/code\u003e function executes the \u003ccode\u003epopen\u003c/code\u003e command with a crafted input string from the email, attempting to resolve hostnames.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious commands into the hostname string, which are then executed by \u003ccode\u003epopen\u003c/code\u003e on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the qmail server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then pivot to other systems within the network or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41113 allows a remote attacker to execute arbitrary code on the vulnerable qmail server. This could lead to complete system compromise, data breaches, or denial-of-service conditions. Organizations using vulnerable versions of qmail are at risk of losing control of their email infrastructure and potentially exposing sensitive information. While the number of actively exploited instances is currently unknown, the high CVSS score (8.1) underscores the severity and potential for widespread impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Sagredo qmail version 2026.04.07 or later to patch CVE-2026-41113 (reference: \u003ca href=\"https://github.com/sagredo-dev/qmail/releases/tag/v2026.04.07\"\u003ehttps://github.com/sagredo-dev/qmail/releases/tag/v2026.04.07\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a successful compromise on the qmail server.\u003c/li\u003e\n\u003cli\u003eMonitor qmail server logs for suspicious activity, such as unusual process execution or network connections (enable process_creation and network_connection logging).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Qmail Remote Execution via popen\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T12:00:00Z","date_published":"2026-04-17T12:00:00Z","id":"/briefs/2026-04-qmail-rce/","summary":"A remote code execution vulnerability exists in Sagredo qmail versions prior to 2026.04.07 due to the use of `popen` in the `notlshosts_auto` function within `qmail-remote.c`, potentially leading to OS command injection.","title":"Sagredo qmail Remote Code Execution Vulnerability (CVE-2026-41113)","url":"https://feed.craftedsignal.io/briefs/2026-04-qmail-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["flowise","rce","command-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFlowise is an open-source low-code platform to build customized AI flow. Versions 3.0.13 and earlier contain a critical vulnerability that allows authenticated users to execute arbitrary commands on the underlying operating system. This vulnerability stems from insufficient input sanitization within the MCP (Model Composition Protocol) adapter. By adding a new MCP using stdio, an attacker can inject malicious commands, bypassing existing sanitization checks. Specifically, the vulnerability lies in the \u0026ldquo;Custom MCP\u0026rdquo; configuration where commands like \u0026ldquo;npx\u0026rdquo; can be combined with code execution arguments (e.g., \u0026ldquo;npx -c touch /tmp/pwn\u0026rdquo;), leading to direct code execution. This vulnerability affects both the \u003ccode\u003eflowise\u003c/code\u003e and \u003ccode\u003eflowise-components\u003c/code\u003e packages.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Flowise application.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the Custom MCP configuration page (e.g., \u003ccode\u003e/canvas\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker creates a new Custom MCP adapter.\u003c/li\u003e\n\u003cli\u003eAttacker configures the MCP adapter to use stdio.\u003c/li\u003e\n\u003cli\u003eAttacker injects a malicious command, such as \u0026ldquo;npx -c touch /tmp/pwn\u0026rdquo;, into the command or arguments fields. This bypasses \u003ccode\u003evalidateCommandInjection\u003c/code\u003e and \u003ccode\u003evalidateArgsForLocalFileAccess\u003c/code\u003e checks.\u003c/li\u003e\n\u003cli\u003eFlowise application executes the attacker-supplied command via the MCP adapter.\u003c/li\u003e\n\u003cli\u003eMalicious command is executed on the underlying operating system.\u003c/li\u003e\n\u003cli\u003eAttacker achieves arbitrary code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an authenticated attacker to achieve arbitrary command execution on the Flowise server. This could lead to complete system compromise, data theft, or denial of service. The vulnerability affects Flowise installations running versions 3.0.13 and earlier. The number of affected installations is currently unknown, but given the popularity of Flowise, the potential impact is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Flowise and Flowise-components to a version greater than 3.0.13 to patch CVE-2026-40933.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u0026ldquo;npx\u0026rdquo; with the \u0026ldquo;-c\u0026rdquo; argument where the parent process is the Flowise application. Deploy the provided Sigma rule \u003ccode\u003eDetect Flowise MCP Command Execution\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation and sanitization measures within the MCP adapter configuration to prevent command injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T12:00:00Z","date_published":"2026-04-17T12:00:00Z","id":"/briefs/2026-04-flowise-rce/","summary":"Flowise versions 3.0.13 and earlier are vulnerable to authenticated arbitrary command execution due to unsafe serialization of stdio commands in the MCP adapter, allowing a malicious user to execute commands on the underlying operating system.","title":"Flowise Authenticated Remote Code Execution via MCP Adapter","url":"https://feed.craftedsignal.io/briefs/2026-04-flowise-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-20186"},{"cvss":9.9,"id":"CVE-2026-20147"},{"cvss":9.9,"id":"CVE-2026-20180"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cisco-ise","rce","command-injection","path-traversal"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCisco Identity Services Engine (ISE) versions 3.x.x (3.1.0 - 3.4.0, and 3.1.0 p1-p10, 3.2.0 p1-p7, 3.3 Patches 1-7, and 3.4 Patches 1-3) are vulnerable to three newly disclosed vulnerabilities that can lead to remote code execution. These vulnerabilities, CVE-2026-20186, CVE-2026-20147, and CVE-2026-20180, can be exploited by remote attackers with low privileges, such as having Read Only Admin credentials. Successful exploitation can result in service disruption, system takeover, and complete compromise of the ISE instance. The vulnerabilities involve command injection and path traversal due to insufficient validation of user-supplied input in HTTP request handling. There is currently no public proof-of-concept or proof-of-exploitation available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to CISCO ISE with low-privilege credentials (e.g., Read Only Admin).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting a vulnerable endpoint within the ISE web application.\u003c/li\u003e\n\u003cli\u003eThe crafted request exploits CVE-2026-20186 by injecting commands to escalate privileges to root.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker exploits CVE-2026-20147 by sending a crafted HTTP request to execute arbitrary commands on the underlying operating system.\u003c/li\u003e\n\u003cli\u003eAs another option, the attacker leverages CVE-2026-20180 by exploiting insufficient validation of user-supplied input, leading to remote code execution.\u003c/li\u003e\n\u003cli\u003eThe injected commands or executed code elevates the attacker\u0026rsquo;s privileges to root.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control over the ISE system, enabling them to modify configurations, access sensitive data, or install malicious software.\u003c/li\u003e\n\u003cli\u003eIn single-node ISE deployments, successful exploitation can lead to a denial-of-service condition, disrupting network authentication and authorization services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows attackers to gain complete control over the CISCO ISE system. This can lead to the compromise of sensitive network access policies, credentials, and other confidential information managed by ISE. The impact includes potential disruption of network services due to denial-of-service, unauthorized access to network resources, and the potential for lateral movement to other systems within the network. Given that ISE is a critical component for network access control, a successful attack can have widespread and severe consequences.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch vulnerable CISCO ISE instances to the latest version to remediate CVE-2026-20186, CVE-2026-20147, and CVE-2026-20180 (Cisco Security Advisory).\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and detection capabilities to identify suspicious activity related to these vulnerabilities (CCB Recommendation).\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any existing compromises by reviewing system logs and configurations for unauthorized changes (CCB Recommendation).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T08:45:05Z","date_published":"2026-04-17T08:45:05Z","id":"/briefs/2026-04-cisco-ise-rce/","summary":"Multiple critical vulnerabilities in CISCO ISE (CVE-2026-20186, CVE-2026-20147, CVE-2026-20180) allow remote attackers with low privileges to execute arbitrary commands, potentially escalating privileges to root and causing denial-of-service.","title":"Multiple Critical Vulnerabilities in CISCO ISE Leading to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-ise-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-33392"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-33392","rce","jetbrains","youtrack","sandbox-bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33392 describes a remote code execution (RCE) vulnerability affecting JetBrains YouTrack servers before version 2025.3.131383. This vulnerability allows a high privileged user to bypass the application\u0026rsquo;s sandbox and execute arbitrary code on the underlying system. While the specific exploitation details are not provided in the source, successful exploitation would grant the attacker complete control over the YouTrack server and potentially the entire network. Given the potential for complete system compromise, organizations using affected versions of YouTrack should prioritize patching this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the YouTrack server with a high-privileged account.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious payload designed to exploit the sandbox bypass. This payload leverages the improper neutralization of special elements used in a template engine (CWE-1336).\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into a vulnerable field or function within YouTrack, such as a custom workflow or template.\u003c/li\u003e\n\u003cli\u003eThe YouTrack server processes the malicious payload, failing to properly sanitize the input.\u003c/li\u003e\n\u003cli\u003eThe injected payload bypasses the intended security sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eArbitrary code is executed on the YouTrack server, outside the intended sandbox environment.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained code execution to install a webshell or other persistent access mechanisms.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised YouTrack server as a pivot point to access other systems within the network, potentially leading to data exfiltration or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33392 allows a high privileged user to execute arbitrary code on the YouTrack server. This can lead to complete system compromise, including data theft, modification, or destruction. The impact is especially significant for organizations that rely on YouTrack for critical project management and issue tracking, as a compromised server can disrupt operations, expose sensitive information, and damage reputation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade JetBrains YouTrack to version 2025.3.131383 or later to patch CVE-2026-33392.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect potential exploitation attempts against YouTrack servers.\u003c/li\u003e\n\u003cli\u003eReview and restrict high-privilege user access within YouTrack to minimize the potential attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, particularly requests containing unusual characters or patterns indicative of code injection attempts, to assist with detection of similar exploits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T08:16:17Z","date_published":"2026-04-17T08:16:17Z","id":"/briefs/2026-04-jetbrains-rce/","summary":"A high privileged user can achieve remote code execution via sandbox bypass in JetBrains YouTrack before version 2025.3.131383, identified as CVE-2026-33392, potentially leading to complete system compromise.","title":"JetBrains YouTrack RCE via Sandbox Bypass (CVE-2026-33392)","url":"https://feed.craftedsignal.io/briefs/2026-04-jetbrains-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["flowiseai","rce","prompt-injection","airtable"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFlowiseAI is susceptible to a remote code execution (RCE) vulnerability within the AirtableAgent function. This function, designed to retrieve and process datasets from Airtable.com, is flawed due to the lack of input sanitization. Specifically, user-supplied input is directly incorporated into a prompt template, which is then used to generate Python code executed by Pyodide. By injecting malicious payloads into the prompt, an attacker can bypass the intended behavior of the language model and execute arbitrary Python code, leading to complete system compromise. The vulnerability resides in \u003ccode\u003eAirtableAgent.ts\u003c/code\u003e and is triggered when the \u003ccode\u003einput\u003c/code\u003e variable, containing user-supplied data, is passed to the LLMChain without proper validation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious payload containing a prompt injection designed to execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted payload via the FlowiseAI application to the AirtableAgent function.\u003c/li\u003e\n\u003cli\u003eThe payload is passed into the \u003ccode\u003einput\u003c/code\u003e variable without sanitization and incorporated into the prompt template within \u003ccode\u003esystemPrompt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe LLMChain uses the crafted prompt, including the injected code, to generate a \u003ccode\u003epythonCode\u003c/code\u003e string.\u003c/li\u003e\n\u003cli\u003eThe generated \u003ccode\u003epythonCode\u003c/code\u003e string, containing the malicious code, is passed to the \u003ccode\u003epyodide.runPythonAsync()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003ePyodide executes the malicious Python code, leading to remote code execution on the FlowiseAI server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the FlowiseAI instance, potentially accessing sensitive data or pivoting to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows for complete remote code execution on the FlowiseAI server. This could lead to the compromise of sensitive data stored within Airtable datasets, as well as the potential for lateral movement to other systems on the network. The lack of input validation opens the door to attackers using prompt injection to bypass security measures and gain unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input sanitization and validation to the \u003ccode\u003einput\u003c/code\u003e variable within the AirtableAgent function in \u003ccode\u003eAirtableAgent.ts\u003c/code\u003e before it is incorporated into the prompt template.\u003c/li\u003e\n\u003cli\u003eImplement strict output filtering on the \u003ccode\u003epythonCode\u003c/code\u003e generated by the LLMChain to prevent the execution of potentially malicious code.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect prompt injection attempts targeting the AirtableAgent function.\u003c/li\u003e\n\u003cli\u003eRegularly audit and update FlowiseAI dependencies, including Pyodide and Pandas, to address any known security vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T21:43:57Z","date_published":"2026-04-16T21:43:57Z","id":"/briefs/2024-01-flowise-rce/","summary":"A remote code execution vulnerability exists in FlowiseAI's AirtableAgent.ts due to insufficient input verification when using Pandas, allowing attackers to inject malicious code into the prompt and execute arbitrary code via Pyodide.","title":"FlowiseAI AirtableAgent Remote Code Execution via Prompt Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-flowise-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["apache-activemq","vulnerability","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities in Apache ActiveMQ, a popular open-source message broker, can be exploited by an authenticated remote attacker to achieve arbitrary code execution or manipulate files. This threat affects ActiveMQ brokers, clients, and web consoles. Given ActiveMQ\u0026rsquo;s widespread use in enterprise environments for inter-application communication, successful exploitation could lead to significant data breaches, service disruptions, and lateral movement within the affected networks. The vendor has not released information about the specific vulnerabilities being targeted, but the advisory indicates that authentication is a prerequisite for exploitation, suggesting that stolen or weak credentials could be a contributing factor.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains valid credentials for accessing the ActiveMQ broker or web console, potentially through credential stuffing, phishing, or exploiting other vulnerabilities in the application stack.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ActiveMQ broker or web console using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability that allows them to manipulate files on the ActiveMQ server, such as uploading malicious configuration files or modifying existing ones.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages another vulnerability that enables arbitrary code execution through the manipulated files or other mechanisms.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the ActiveMQ server, potentially gaining a shell or other remote access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised ActiveMQ server as a pivot point to move laterally within the network, targeting other systems and data.\u003c/li\u003e\n\u003cli\u003eThe attacker installs backdoors or other persistent mechanisms to maintain access to the compromised ActiveMQ server and the network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the compromised systems or deploys ransomware to encrypt data and demand a ransom payment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to complete compromise of the ActiveMQ server, potential data breaches, and lateral movement within the network. Depending on the ActiveMQ server\u0026rsquo;s role, this can severely impact business operations, lead to financial losses, and damage the organization\u0026rsquo;s reputation. The number of potential victims is high due to the widespread use of Apache ActiveMQ across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview ActiveMQ access controls and enforce multi-factor authentication to mitigate credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor ActiveMQ logs for suspicious authentication attempts or unusual activity patterns indicative of exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts against ActiveMQ servers based on unusual process execution.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a compromised ActiveMQ server and prevent lateral movement.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T05:29:10Z","date_published":"2026-04-16T05:29:10Z","id":"/briefs/2026-04-activemq-vulns/","summary":"An authenticated remote attacker can exploit multiple vulnerabilities in Apache ActiveMQ to manipulate files or execute arbitrary code.","title":"Apache ActiveMQ Multiple Vulnerabilities Allow Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-activemq-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-33435"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-33435","rce","weblate"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWeblate, a web-based localization tool, contains a vulnerability (CVE-2026-33435) in versions prior to 5.17. The flaw stems from the project backup functionality, which fails to adequately filter Git and Mercurial configuration files. This oversight can be exploited to achieve remote code execution (RCE) under certain circumstances. The vulnerability was reported and patched in version 5.17. Mitigation steps for unpatched systems involve restricting access to the project backup feature, as it is limited to users with project creation privileges. This vulnerability poses a significant risk, as successful exploitation can lead to complete system compromise, data breaches, and further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to a Weblate account with project creation privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a malicious project containing crafted Git or Mercurial configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a project backup.\u003c/li\u003e\n\u003cli\u003eThe backup process fails to properly sanitize the malicious configuration files.\u003c/li\u003e\n\u003cli\u003eThe backup is stored on the server, potentially overwriting existing files.\u003c/li\u003e\n\u003cli\u003eThe Weblate server attempts to process or utilize the tainted configuration files.\u003c/li\u003e\n\u003cli\u003eDue to improper sanitization, the malicious configuration files trigger command execution within the Weblate server\u0026rsquo;s environment.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, gaining control over the Weblate server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33435 can lead to remote code execution on the Weblate server. The impact includes potential data breaches, unauthorized access to localization projects, and complete compromise of the affected system. While the exact number of affected installations is unknown, organizations using vulnerable versions of Weblate risk significant operational disruption and data loss. Sectors utilizing Weblate for localization, such as software development, content creation, and e-commerce, are at increased risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Weblate to version 5.17 or later to patch CVE-2026-33435.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, restrict access to the project backup feature to only trusted users as recommended in the CVE description.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to project backup downloads, focusing on requests to /admin/backup/ paths. Use the provided Sigma rule to detect unusual file downloads from the webserver.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious file uploads of git configuration files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T19:16:35Z","date_published":"2026-04-15T19:16:35Z","id":"/briefs/2026-04-weblate-rce/","summary":"Weblate versions before 5.17 are susceptible to remote code execution due to unfiltered Git and Mercurial configuration files in project backups, potentially allowing attackers to execute arbitrary code under specific conditions.","title":"Weblate Project Backup Vulnerability Leads to Potential Remote Code Execution (CVE-2026-33435)","url":"https://feed.craftedsignal.io/briefs/2026-04-weblate-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-33120"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sql-server","rce","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33120 is a critical vulnerability affecting Microsoft SQL Server. This vulnerability, classified as an untrusted pointer dereference, allows an authorized attacker to execute arbitrary code on the targeted system remotely. Successful exploitation requires the attacker to be authenticated to the SQL Server instance, reducing the attack surface but still posing a significant threat to internal networks. The vulnerability was reported by Microsoft and assigned a CVSS v3.1 score of 8.8, highlighting its potential for significant impact. The vulnerability poses a significant risk to organizations utilizing vulnerable SQL Server instances, as it could lead to data breaches, system compromise, and further lateral movement within the network. Defenders need to identify and patch vulnerable SQL Server instances promptly to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the targeted SQL Server instance using compromised or valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SQL query designed to trigger the untrusted pointer dereference.\u003c/li\u003e\n\u003cli\u003eThe malicious query is sent to the SQL Server instance for processing.\u003c/li\u003e\n\u003cli\u003eSQL Server attempts to dereference a pointer controlled by the attacker due to the crafted query.\u003c/li\u003e\n\u003cli\u003eThis dereference leads to an exception or crash within the SQL Server process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this crash to gain control of the execution flow.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the SQL Server process memory.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed within the context of the SQL Server service account, granting the attacker system-level privileges and remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33120 allows an authenticated attacker to execute arbitrary code on the targeted SQL Server instance with system-level privileges. This can lead to complete system compromise, data breaches, denial of service, and further lateral movement within the network. The vulnerability affects all SQL Server versions prior to the patch. Given the widespread use of SQL Server in enterprise environments, a successful exploit could have significant repercussions, impacting sensitive data and critical business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-33120 on all affected SQL Server instances immediately. Refer to the Microsoft advisory (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33120\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33120\u003c/a\u003e) for specific instructions.\u003c/li\u003e\n\u003cli\u003eMonitor SQL Server logs for suspicious activity, such as unexpected crashes or unusual query patterns that might indicate exploitation attempts. Create a rule based on process creation with unexpected parent processes.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious SQL Server Process Creation\u003c/code\u003e to detect potential exploitation attempts based on process creation events.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege for SQL Server accounts to minimize the impact of successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-sql-server-rce/","summary":"CVE-2026-33120 is an untrusted pointer dereference vulnerability in Microsoft SQL Server that allows an authenticated attacker to achieve remote code execution over a network.","title":"SQL Server Untrusted Pointer Dereference Vulnerability (CVE-2026-33120)","url":"https://feed.craftedsignal.io/briefs/2026-04-sql-server-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-6264"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rce","deserialization","talend"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical remote code execution vulnerability, CVE-2026-6264, has been identified in Talend JobServer and Talend Runtime, core components of the Talend data integration platform. Versions affected include Talend JobServer 7.3 (before TPS-6018) and 8.0 (before TPS-6017), as well as Talend Runtime 7.3 (before 7.3.1-R2026-01) and 8.0 (before 8.0.1.R2026-01-RT). The vulnerability stems from insecure deserialization of untrusted data through the JMX monitoring port. Successful exploitation allows an unauthenticated attacker to execute arbitrary code remotely, gain full control over affected systems, access, modify, or delete sensitive data, and disrupt services and data processing workflows. Given the wide deployment of Talend in enterprise settings, this vulnerability poses a significant risk to critical data pipelines.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable Talend JobServer or Runtime instance with an exposed JMX monitoring port.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious serialized Java object containing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious serialized object to the JMX monitoring port of the target system.\u003c/li\u003e\n\u003cli\u003eThe Talend JobServer or Runtime instance deserializes the malicious object without proper validation.\u003c/li\u003e\n\u003cli\u003eThe deserialization process triggers the execution of the embedded malicious code within the Java Runtime Environment (JRE).\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their initial access to escalate privileges, potentially gaining root or SYSTEM access.\u003c/li\u003e\n\u003cli\u003eThe attacker can then access, modify, or exfiltrate sensitive data, install backdoors, or disrupt critical services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6264 can lead to complete system compromise, allowing attackers to execute arbitrary code, access sensitive data, and disrupt critical business processes. Given that Talend is often deployed in enterprise environments as part of critical data pipelines, a successful attack could result in widespread compromise across the enterprise, potentially impacting hundreds or thousands of systems and causing significant financial and reputational damage. The CCB has rated this as a critical vulnerability with a CVSS score of 9.8.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch Talend JobServer to the latest version (TPS-6018 for 7.3, TPS-6017 for 8.0) to fully mitigate the vulnerability, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eFor Talend Runtime, disable the JobServer JMX monitoring port, particularly on versions prior to R2024-07-RT, as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect suspicious JMX traffic indicative of CVE-2026-6264 exploitation.\u003c/li\u003e\n\u003cli\u003eIncrease monitoring and detection capabilities to identify any related suspicious activity, as recommended by the CCB.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-talend-rce/","summary":"CVE-2026-6264, a critical deserialization vulnerability in Talend JobServer and Runtime, allows unauthenticated remote code execution via the JMX monitoring port, leading to complete system compromise.","title":"Critical Remote Code Execution Vulnerability in Talend JobServer and Talend Runtime","url":"https://feed.craftedsignal.io/briefs/2026-04-talend-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.3,"id":"CVE-2026-27304"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-27304","coldfusion","rce","improper-input-validation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAdobe ColdFusion versions 2023.18, 2025.6, and earlier are susceptible to an improper input validation vulnerability (CVE-2026-27304). This flaw allows for arbitrary code execution within the security context of the current user. The vulnerability is exploitable remotely and requires no user interaction, increasing the potential impact. This vulnerability was disclosed on April 14, 2026. Given the severity and ease of exploitation, organizations using affected ColdFusion versions should prioritize patching and implement detection measures immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable ColdFusion server running a version prior to 2023.18 or 2025.6.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request containing a payload designed to exploit the input validation vulnerability.\u003c/li\u003e\n\u003cli\u003eThe crafted request is sent to a ColdFusion endpoint that processes user-supplied input.\u003c/li\u003e\n\u003cli\u003eDue to the improper input validation, the malicious payload is processed by the ColdFusion server.\u003c/li\u003e\n\u003cli\u003eThe payload executes arbitrary code within the context of the ColdFusion application user.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the system, potentially escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker can install malware, exfiltrate sensitive data, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the ColdFusion server. This can lead to complete system compromise, including data theft, malware installation, and denial of service. Given the criticality of ColdFusion in many enterprise environments, a successful attack can have significant business impact, leading to financial losses, reputational damage, and legal consequences.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch provided by Adobe as outlined in APSB26-38 to remediate CVE-2026-27304 (reference: \u003ca href=\"https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html)\"\u003ehttps://helpx.adobe.com/security/products/coldfusion/apsb26-38.html)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests targeting ColdFusion endpoints with unusually long or malformed parameters (reference: webserver log source).\u003c/li\u003e\n\u003cli\u003eImplement input validation rules in ColdFusion applications to prevent malicious data from being processed (reference: CWE-20).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts in your web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-coldfusion-rce/","summary":"Adobe ColdFusion versions 2023.18, 2025.6, and earlier are vulnerable to improper input validation, potentially leading to arbitrary code execution without user interaction.","title":"Adobe ColdFusion Improper Input Validation RCE","url":"https://feed.craftedsignal.io/briefs/2026-04-coldfusion-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-22562"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","rce","unifi"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-22562 describes a critical path traversal vulnerability affecting UniFi Play PowerAmp (version 1.0.35 and earlier) and UniFi Play Audio Port (version 1.0.24 and earlier) devices. An attacker with access to the UniFi Play network can exploit this vulnerability to write arbitrary files on the file system. This capability can then be leveraged to achieve remote code execution (RCE) on the vulnerable device. Successful exploitation requires network access to the affected UniFi Play devices, making internal networks the primary target. The vulnerability was disclosed in April 2026. Defenders should prioritize patching vulnerable devices to prevent potential compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to the UniFi Play network (e.g., via compromised credentials or network intrusion).\u003c/li\u003e\n\u003cli\u003eAttacker identifies a vulnerable UniFi Play device (PowerAmp \u0026lt;= 1.0.35 or Audio Port \u0026lt;= 1.0.24).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request containing a path traversal sequence (e.g., \u0026ldquo;../../../\u0026rdquo;) in a file upload or download parameter.\u003c/li\u003e\n\u003cli\u003eThe vulnerable device processes the request without proper sanitization, allowing the attacker to write a file to an arbitrary location on the file system.\u003c/li\u003e\n\u003cli\u003eAttacker writes a malicious script (e.g., a shell script or executable) to a location where it can be executed (e.g., a startup directory or cron job).\u003c/li\u003e\n\u003cli\u003eAttacker triggers the execution of the malicious script (e.g., by rebooting the device or waiting for the cron job to run).\u003c/li\u003e\n\u003cli\u003eThe malicious script executes with the privileges of the UniFi Play device, granting the attacker remote code execution.\u003c/li\u003e\n\u003cli\u003eAttacker uses RCE to further compromise the device, pivot to other network assets, or establish persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-22562 allows an attacker to gain complete control of the vulnerable UniFi Play device. This can lead to data exfiltration, device disruption, and further compromise of the network to which the device is connected. Given the potential for RCE, an attacker could potentially use compromised devices as entry points to other systems on the network, thus expanding their reach and increasing the overall impact of the attack. Organizations using affected UniFi Play devices are at high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update UniFi Play PowerAmp to version 1.0.38 or later and UniFi Play Audio Port to version 1.1.9 or later to patch CVE-2026-22562 (see Overview).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious HTTP requests containing path traversal sequences targeting UniFi Play devices using the provided Sigma rule (Path Traversal in URI).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a potential compromise of a UniFi Play device.\u003c/li\u003e\n\u003cli\u003eReview and harden access controls to the UniFi Play network to prevent unauthorized access by potential attackers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T14:00:00Z","date_published":"2026-04-14T14:00:00Z","id":"/briefs/2026-04-unifi-path-traversal/","summary":"A path traversal vulnerability in UniFi Play devices allows an attacker with network access to write arbitrary files, leading to remote code execution.","title":"UniFi Play Path Traversal Vulnerability (CVE-2026-22562)","url":"https://feed.craftedsignal.io/briefs/2026-04-unifi-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6224"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["nocobase","rce","sandbox-escape","cve-2026-6224"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA critical security flaw, identified as CVE-2026-6224, affects NocoBase plugin-workflow-javascript versions up to 2.0.23. This vulnerability resides in the \u003ccode\u003ecreateSafeConsole\u003c/code\u003e function within the \u003ccode\u003epackages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js\u003c/code\u003e file. By manipulating this function, an attacker can escape the intended sandbox environment. Publicly available exploits exist, increasing the risk of active exploitation. This vulnerability allows for remote, unauthenticated exploitation, making it a significant threat to systems running the affected NocoBase plugin. The vendor has not responded to vulnerability disclosure attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a malicious request to the NocoBase server targeting the \u003ccode\u003eplugin-workflow-javascript\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eThe request is processed by the vulnerable \u003ccode\u003ecreateSafeConsole\u003c/code\u003e function within \u003ccode\u003eVm.js\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the identified manipulation technique to bypass the intended sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the underlying server environment.\u003c/li\u003e\n\u003cli\u003eThe attacker injects and executes arbitrary JavaScript code within the server context.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain further control of the system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through creating new user accounts or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the server, leading to potential data theft, system compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6224 can lead to complete compromise of the NocoBase server. An attacker can gain unauthorized access to sensitive data, modify system configurations, install malware, or disrupt normal operations. Given the nature of NocoBase as a data management platform, the impact could include widespread data breaches and significant reputational damage. Because exploits are publicly available, organizations using vulnerable versions of the plugin are at immediate risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NocoBase plugin-workflow-javascript to a patched version beyond 2.0.23 to remediate CVE-2026-6224.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Suspicious NocoBase Workflow JavaScript Activity\u003c/code\u003e to identify potential exploitation attempts targeting the \u003ccode\u003ecreateSafeConsole\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003e/packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js\u003c/code\u003e path.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization measures to prevent malicious code injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T12:00:00Z","date_published":"2026-04-14T12:00:00Z","id":"/briefs/2026-04-nocobase-rce/","summary":"A remote code execution vulnerability exists in NocoBase plugin-workflow-javascript versions up to 2.0.23 due to a sandbox escape in the createSafeConsole function, allowing unauthenticated attackers to potentially execute arbitrary code on the server.","title":"NocoBase plugin-workflow-javascript Sandbox Escape Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-nocobase-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-3017"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","php","object-injection","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Smart Post Show WordPress plugin, specifically the Post Grid, Post Carousel \u0026amp; Slider, and List Category Posts components, contains a PHP Object Injection vulnerability. This flaw affects all versions up to and including 3.0.12. The vulnerability resides in the \u003ccode\u003eimport_shortcodes()\u003c/code\u003e function, where the deserialization of untrusted input occurs. This vulnerability requires an authenticated attacker with administrative privileges or higher. Successful exploitation requires the presence of a suitable Property-Oriented Programming (POP) chain within another installed plugin or theme. Without a POP chain, the injected object has no immediate impact. However, with a POP chain, attackers can potentially delete arbitrary files, retrieve sensitive data, or execute arbitrary code on the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative-level access to the WordPress dashboard, either through credential compromise or vulnerability exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Smart Post Show plugin settings page within the WordPress admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing a serialized PHP object designed to trigger a POP chain.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into the \u003ccode\u003eimport_shortcodes()\u003c/code\u003e function, likely through a form field or file upload.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eimport_shortcodes()\u003c/code\u003e function deserializes the attacker-controlled input, creating the malicious PHP object.\u003c/li\u003e\n\u003cli\u003eIf a suitable POP chain exists within other installed plugins or themes, the deserialization triggers the chain.\u003c/li\u003e\n\u003cli\u003eThe POP chain executes a series of predefined actions based on the objects and methods involved.\u003c/li\u003e\n\u003cli\u003eThe final objective is achieved, such as deleting arbitrary files, retrieving sensitive data, or executing arbitrary code on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe PHP Object Injection vulnerability in the Smart Post Show WordPress plugin allows attackers to potentially gain remote code execution on the affected server. The impact is contingent on the existence of a POP chain within other installed plugins or themes. If successful, an attacker could potentially compromise the entire web server, leading to data breaches, defacement, or complete system takeover. Given the widespread use of WordPress and this plugin, a successful exploit could affect numerous websites across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Smart Post Show plugin to a version greater than 3.0.12 to patch CVE-2026-3017.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WordPress Plugin Deserialization Attempt\u0026rdquo; to monitor for suspicious deserialization activity on WordPress servers.\u003c/li\u003e\n\u003cli\u003eAudit all installed WordPress plugins and themes for potential POP chains that could be exploited in conjunction with this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T06:17:10Z","date_published":"2026-04-14T06:17:10Z","id":"/briefs/2026-04-smart-post-show-rce/","summary":"The Smart Post Show WordPress plugin versions 3.0.12 and earlier are vulnerable to PHP Object Injection via deserialization of untrusted input in the import_shortcodes() function, potentially leading to remote code execution if a suitable POP chain is present.","title":"Smart Post Show WordPress Plugin PHP Object Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-smart-post-show-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2026-34621"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["adobe","acrobat","reader","rce","vulnerability"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eAdobe has addressed CVE-2026-34621, a zero-day vulnerability affecting Acrobat DC, Acrobat Reader DC, and Acrobat 2024 versions on both Windows and macOS. This flaw has been actively exploited in the wild since at least December, with initial discovery occurring after a malicious PDF sample named \u0026ldquo;yummy_adobe_exploit_uwu.pdf\u0026rdquo; was submitted for analysis. The vulnerability allows specially crafted PDF files to bypass sandbox restrictions, invoke privileged JavaScript APIs, and potentially execute arbitrary code. Successful exploitation can lead to reading and stealing arbitrary local files. The impacted versions include Acrobat DC and Reader DC versions 26.001.21367 and earlier, as well as Acrobat 2024 versions 24.001.30356 and earlier. This zero-day requires immediate patching across enterprise and personal environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious PDF file containing JavaScript code designed to exploit CVE-2026-34621.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious PDF via email, web download, or other means.\u003c/li\u003e\n\u003cli\u003eThe victim opens the malicious PDF in a vulnerable version of Adobe Acrobat or Reader.\u003c/li\u003e\n\u003cli\u003eThe vulnerability allows the malicious PDF to bypass sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eThe PDF invokes privileged JavaScript APIs, such as \u003ccode\u003eutil.readFileIntoStream()\u003c/code\u003e, to read arbitrary local files.\u003c/li\u003e\n\u003cli\u003eThe PDF utilizes \u003ccode\u003eRSS.addFeed()\u003c/code\u003e to exfiltrate the stolen data to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information stored on the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the initial access for further exploitation, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34621 allows attackers to bypass sandbox restrictions within Adobe Acrobat and Reader, leading to arbitrary code execution and unauthorized access to local files. This could result in the theft of sensitive data, such as credentials, financial information, or intellectual property. Although the number of victims is currently unknown, security researcher Gi7w0rm spotted attacks in the wild that leveraged Russian-language documents with oil and gas industry lures, and the potential impact is significant, especially for organizations that handle sensitive information in PDF documents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update Adobe Acrobat DC and Reader DC to version 26.001.21411 or later, and Acrobat 2024 to version 24.001.30362 (Windows) or 24.001.30360 (Mac) via \u0026lsquo;Help \u0026gt; Check for Updates\u0026rsquo; to remediate CVE-2026-34621.\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;Detect Execution of Suspicious JavaScript in PDFs\u0026rdquo; Sigma rule to identify potential exploitation attempts within your environment.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events for files matching the name \u0026ldquo;yummy_adobe_exploit_uwu.pdf\u0026rdquo; or similar filenames identified during future investigations.\u003c/li\u003e\n\u003cli\u003eEducate users to be cautious when opening PDF files from untrusted sources and encourage them to verify the sender\u0026rsquo;s authenticity before opening any attachments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T15:37:41Z","date_published":"2026-04-13T15:37:41Z","id":"/briefs/2026-04-adobe-reader-rce/","summary":"Adobe patched CVE-2026-34621, a zero-day vulnerability in Acrobat and Reader exploited since December, allowing malicious PDFs to bypass sandboxes and execute arbitrary code, potentially leading to local file theft.","title":"Adobe Acrobat and Reader CVE-2026-34621 Zero-Day Exploitation","url":"https://feed.craftedsignal.io/briefs/2026-04-adobe-reader-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["mathjs","rce","expression-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMath.js is a popular open-source mathematics library for JavaScript. A critical vulnerability (GHSA-jvff-x2qm-6286) exists in versions prior to 15.2.0, allowing arbitrary JavaScript execution. This flaw stems from improperly controlled modification of dynamically-determined object attributes within the expression parser. Applications that utilize math.js to evaluate user-provided mathematical expressions are susceptible. The vulnerability was reported on April 10, 2026, and a patch was released in version 15.2.0. Successful exploitation could lead to complete compromise of the application\u0026rsquo;s server-side environment, enabling data theft, system modification, or denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious mathematical expression designed to exploit the vulnerability in math.js.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the malicious expression to a vulnerable application that uses math.js for expression parsing.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s server-side code receives the input and passes it to the math.js \u003ccode\u003eevaluate()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eevaluate()\u003c/code\u003e function processes the expression, leading to unintended modification of object attributes.\u003c/li\u003e\n\u003cli\u003eThis modification triggers the execution of arbitrary JavaScript code embedded within the malicious expression.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s JavaScript code executes within the context of the server-side application, bypassing security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data, modifies system configurations, or installs malicious software.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full remote code execution (RCE), compromising the entire application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary JavaScript code on the server running the vulnerable application. This can result in complete system compromise, including unauthorized data access, data modification, and denial of service. If the compromised application has access to sensitive databases or internal systems, the attacker can pivot to further compromise the internal network. The vulnerability impacts any application using math.js \u0026lt; 15.2.0 and allows users to evaluate arbitrary expressions, with potentially widespread consequences depending on the application\u0026rsquo;s role and permissions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade math.js to version 15.2.0 or later to patch the vulnerability (GHSA-jvff-x2qm-6286).\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not possible, consider disabling or restricting user-provided expression evaluation functionalities.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to your SIEM to detect potential exploitation attempts against vulnerable math.js instances.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious patterns in user input indicative of expression injection attacks.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent malicious expressions from reaching the math.js parser.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-mathjs-rce/","summary":"A vulnerability in math.js versions before 15.2.0 allows for arbitrary JavaScript execution through the expression parser when evaluating user-supplied expressions.","title":"Math.js Improperly Controlled Modification of Object Attributes Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-04-mathjs-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-40217"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-40217","litellm","rce","bytecode-rewriting"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLiteLLM, a library for simplifying interactions with Large Language Models (LLMs), is vulnerable to remote code execution (RCE) through version 2026-04-08. The vulnerability, identified as CVE-2026-40217, exists due to insufficient input validation at the \u003ccode\u003e/guardrails/test_custom_code\u003c/code\u003e URI. A remote attacker can exploit this flaw by rewriting bytecode, effectively injecting and executing arbitrary code on the server hosting LiteLLM. This vulnerability poses a significant risk, as it allows unauthenticated attackers with network access to the affected server to gain complete control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a LiteLLM instance running a vulnerable version (\u0026lt;= 2026-04-08) with the \u003ccode\u003e/guardrails/test_custom_code\u003c/code\u003e endpoint exposed.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/guardrails/test_custom_code\u003c/code\u003e URI.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes specially crafted data designed to rewrite the bytecode executed by the LiteLLM instance.\u003c/li\u003e\n\u003cli\u003eThe LiteLLM application, due to the vulnerability, processes the attacker-supplied data without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eThe application rewrites its own bytecode based on the attacker\u0026rsquo;s input.\u003c/li\u003e\n\u003cli\u003eThe rewritten bytecode contains malicious code injected by the attacker.\u003c/li\u003e\n\u003cli\u003eThe application executes the rewritten bytecode, effectively executing the attacker\u0026rsquo;s injected code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the server, allowing them to compromise the system, install malware, or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40217 allows unauthenticated remote attackers to execute arbitrary code on systems running vulnerable versions of LiteLLM. This can lead to complete system compromise, including data theft, ransomware deployment, and denial of service. The vulnerability could affect any organization utilizing LiteLLM for LLM interaction, particularly those exposing the vulnerable endpoint to untrusted networks. The impact is rated as critical due to the ease of exploitation and the potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the necessary patches or upgrade to a version of LiteLLM that addresses CVE-2026-40217 immediately.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict access to the \u003ccode\u003e/guardrails/test_custom_code\u003c/code\u003e endpoint, as referenced in the vulnerability description.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect LiteLLM Bytecode Rewrite Attempt\u003c/code\u003e to identify potential exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the \u003ccode\u003e/guardrails/test_custom_code\u003c/code\u003e URI, using the log source specified in the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-litellm-rce/","summary":"LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI, potentially leading to complete system compromise.","title":"LiteLLM Remote Code Execution via Bytecode Rewriting (CVE-2026-40217)","url":"https://feed.craftedsignal.io/briefs/2026-04-litellm-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-33618"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["chamilo","rce","eval-injection","cve-2026-33618"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS is a widely used open-source learning management system. CVE-2026-33618 affects versions prior to 2.0.0-RC.3. The vulnerability lies within the \u003ccode\u003ePlatformConfigurationController::decodeSettingArray()\u003c/code\u003e method, which unsafely uses PHP\u0026rsquo;s \u003ccode\u003eeval()\u003c/code\u003e function to parse platform settings retrieved from the database. An attacker who has already gained administrative access to the Chamilo LMS platform can inject arbitrary PHP code into these settings. This injected code is then executed whenever \u003cem\u003eany\u003c/em\u003e user, including unauthenticated users, makes a request to the \u003ccode\u003e/platform-config/list\u003c/code\u003e endpoint. This allows for unauthenticated remote code execution, making it a critical vulnerability for organizations using affected versions of Chamilo LMS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains administrative access to the Chamilo LMS instance (potentially through a separate vulnerability or compromised credentials).\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the platform configuration settings page within the Chamilo LMS admin panel.\u003c/li\u003e\n\u003cli\u003eAttacker injects malicious PHP code into a configurable setting field. This code is designed to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe injected PHP code is saved to the Chamilo LMS database.\u003c/li\u003e\n\u003cli\u003eAn unauthenticated user makes a request to the \u003ccode\u003e/platform-config/list\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePlatformConfigurationController::decodeSettingArray()\u003c/code\u003e method is called to process the platform settings from the database.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eeval()\u003c/code\u003e function executes the attacker\u0026rsquo;s injected PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution on the Chamilo LMS server, enabling them to potentially compromise the entire system and connected networks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33618 allows an attacker to execute arbitrary PHP code on the Chamilo LMS server. This can lead to full system compromise, data exfiltration, defacement, or denial-of-service. Given that Chamilo LMS is used by educational institutions and organizations worldwide, a successful attack could impact thousands of users and expose sensitive student or employee data. The vulnerability\u0026rsquo;s ease of exploitation, requiring only admin access and an unauthenticated request to a specific endpoint, makes it a highly attractive target for malicious actors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Chamilo LMS instances to version 2.0.0-RC.3 or later to patch CVE-2026-33618.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003e/platform-config/list\u003c/code\u003e endpoint originating from unusual IP addresses or user agents using the Sigma rule \u003ccode\u003eChamilo_Suspicious_PlatformConfig_Access\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eChamilo_Eval_Based_Code_Execution\u003c/code\u003e to detect potential exploitation attempts based on unusual PHP processes spawned from the web server.\u003c/li\u003e\n\u003cli\u003eReview and audit all Chamilo LMS administrative accounts for suspicious activity to prevent initial access to vulnerable configuration settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-chamilo-rce/","summary":"Chamilo LMS versions prior to 2.0.0-RC.3 are vulnerable to remote code execution (RCE) via eval injection, where an authenticated administrator can inject arbitrary PHP code into platform settings that is then executed when any user (including unauthenticated) requests the /platform-config/list endpoint.","title":"Chamilo LMS Unauthenticated Remote Code Execution via Configuration Injection (CVE-2026-33618)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["praisonai","rce","yaml"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI is vulnerable to remote code execution via specially crafted YAML files. The vulnerability stems from the \u003ccode\u003epraisonai workflow run \u0026lt;file.yaml\u0026gt;\u003c/code\u003e command, which, when processing YAML files with \u003ccode\u003etype: job\u003c/code\u003e, executes steps through the \u003ccode\u003eJobWorkflowExecutor\u003c/code\u003e class in \u003ccode\u003ejob_workflow.py\u003c/code\u003e. This execution path supports shell command execution via \u003ccode\u003esubprocess.run()\u003c/code\u003e, inline Python execution via \u003ccode\u003eexec()\u003c/code\u003e, and arbitrary Python script execution. An attacker can leverage this to inject malicious code into a YAML file, such as \u003ccode\u003eexploit.yaml\u003c/code\u003e, to achieve arbitrary host command execution. Versions of \u003ccode\u003epip/praisonaiagents\u003c/code\u003e up to and including 1.5.139 and \u003ccode\u003epip/PraisonAI\u003c/code\u003e up to and including 4.5.138 are affected. This is especially critical in CI/CD environments or shared deployment contexts where untrusted YAML files may be processed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious YAML file (e.g., \u003ccode\u003eexploit.yaml\u003c/code\u003e) containing commands to be executed.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to a system where PraisonAI is installed and can execute the \u003ccode\u003epraisonai\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the command \u003ccode\u003epraisonai workflow run exploit.yaml\u003c/code\u003e, pointing to the malicious YAML file.\u003c/li\u003e\n\u003cli\u003ePraisonAI parses the YAML file and identifies the \u003ccode\u003etype: job\u003c/code\u003e directive.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eJobWorkflowExecutor\u003c/code\u003e class in \u003ccode\u003ejob_workflow.py\u003c/code\u003e is invoked to process the workflow steps.\u003c/li\u003e\n\u003cli\u003eWithin the workflow steps, commands specified using \u003ccode\u003erun:\u003c/code\u003e, \u003ccode\u003escript:\u003c/code\u003e, or \u003ccode\u003epython:\u003c/code\u003e directives are executed. Specifically, \u003ccode\u003e_exec_shell()\u003c/code\u003e executes shell commands, \u003ccode\u003e_exec_inline_python()\u003c/code\u003e executes inline Python, and \u003ccode\u003e_exec_python_script()\u003c/code\u003e executes Python scripts.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes, performing actions such as writing files (e.g., \u003ccode\u003epwned.txt\u003c/code\u003e) or executing arbitrary system commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the host system, leading to potential system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows a remote or local attacker to execute arbitrary host commands and code. This can lead to full system compromise, including data theft, modification, or destruction. In CI/CD or shared deployment contexts, this could impact multiple systems or applications. The reporter marked this as a critical severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003epip/praisonaiagents\u003c/code\u003e and \u003ccode\u003epip/PraisonAI\u003c/code\u003e to versions greater than 1.5.139 and 4.5.138, respectively, to patch the vulnerability as stated in the overview.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for all YAML files processed by PraisonAI, paying close attention to the \u003ccode\u003etype: job\u003c/code\u003e directive to prevent execution of arbitrary commands and code.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PraisonAI Workflow Execution with Suspicious YAML\u0026rdquo; to your SIEM to detect potential exploitation attempts, based on log source \u003ccode\u003eprocess_creation\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T19:32:48Z","date_published":"2026-04-10T19:32:48Z","id":"/briefs/2024-01-03-praisonai-rce/","summary":"PraisonAI is vulnerable to remote code execution; loading untrusted YAML files with `type: job` can lead to arbitrary host command execution, potentially enabling full system compromise.","title":"PraisonAI Remote Code Execution via Malicious Workflow YAML","url":"https://feed.craftedsignal.io/briefs/2024-01-03-praisonai-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rce","command-injection","praisonai"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI is vulnerable to remote code execution due to a misconfiguration in the Chainlit UI modules (\u003ccode\u003echat.py\u003c/code\u003e and \u003ccode\u003ecode.py\u003c/code\u003e). Specifically, the application hardcodes \u003ccode\u003econfig.approval_mode = \u0026quot;auto\u0026quot;\u003c/code\u003e, effectively disabling the intended human-in-the-loop approval mechanism for ACP tool executions, even when administrators configure the application to require manual approval. This override occurs after the application loads administrator configurations from the \u003ccode\u003ePRAISON_APPROVAL_MODE\u003c/code\u003e environment variable. Consequently, an authenticated user, including those using default credentials, can instruct the LLM agent to execute arbitrary single-command shell operations on the server without any approval prompt, subject only to the PraisonAI process’s OS-level permissions. The vulnerability affects PraisonAI versions prior to 4.5.128.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the PraisonAI UI using valid credentials (default admin/admin if unchanged).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a chat message that instructs the LLM agent to execute a shell command via the \u003ccode\u003eacp_execute_command\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe LLM agent parses the message and prepares the command for execution.\u003c/li\u003e\n\u003cli\u003eDue to the hardcoded \u003ccode\u003eapproval_mode = \u0026quot;auto\u0026quot;\u003c/code\u003e in \u003ccode\u003echat.py\u003c/code\u003e or \u003ccode\u003ecode.py\u003c/code\u003e, the command bypasses the intended approval process in \u003ccode\u003eagent_tools.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esubprocess.run()\u003c/code\u003e function in \u003ccode\u003eaction_orchestrator.py\u003c/code\u003e executes the attacker-controlled command with \u003ccode\u003eshell=True\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe command executes with the permissions of the PraisonAI process.\u003c/li\u003e\n\u003cli\u003eThe result of the command execution is returned to the attacker via the chat interface.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this vulnerability to achieve code execution, data exfiltration, or other malicious objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an authenticated user to execute arbitrary shell commands on the server hosting PraisonAI. This can lead to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eConfidentiality breach:\u003c/strong\u003e Read sensitive files accessible to the process (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e, application secrets).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIntegrity compromise:\u003c/strong\u003e Modify or delete files, install backdoors.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAvailability impact:\u003c/strong\u003e Kill processes, consume resources, delete data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAdministrator control undermined:\u003c/strong\u003e The hardcoded \u003ccode\u003eapproval_mode\u003c/code\u003e silently overrides administrator-configured settings, creating a false sense of security.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrompt injection vector:\u003c/strong\u003e Malicious content could trigger command execution through auto-approved tools without direct user intent, especially through external sources like web searches or uploaded files.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe vulnerable versions are PraisonAI versions prior to 4.5.128.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade PraisonAI:\u003c/strong\u003e Upgrade to version 4.5.128 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApply Code-Level Fix:\u003c/strong\u003e If upgrading is not immediately feasible, manually remove the hardcoded override in \u003ccode\u003echat.py\u003c/code\u003e and \u003ccode\u003ecode.py\u003c/code\u003e as described in the advisory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Allowlisting:\u003c/strong\u003e Strengthen command sanitization by implementing an allowlist approach instead of a blocklist in the \u003ccode\u003e_sanitize_command()\u003c/code\u003e function as described in the advisory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor Process Creation:\u003c/strong\u003e Deploy the Sigma rule \u0026ldquo;Detect Suspicious PraisonAI Command Execution\u0026rdquo; to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor Network Connections:\u003c/strong\u003e Deploy the Sigma rule \u0026ldquo;Detect Suspicious Outbound Connection from PraisonAI\u0026rdquo; to identify potential data exfiltration attempts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Authentication:\u003c/strong\u003e Ensure strong passwords are in use and consider multi-factor authentication to mitigate risks from compromised credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T19:25:49Z","date_published":"2026-04-10T19:25:49Z","id":"/briefs/2024-01-09-praisonai-rce/","summary":"A vulnerability in PraisonAI allows authenticated users to execute arbitrary shell commands due to a hardcoded approval setting in the Chainlit UI modules, overriding administrator configurations and bypassing intended approval gates; insufficient command sanitization allows for destructive command execution, leading to confidentiality breach, integrity compromise, and availability impact on the server.","title":"PraisonAI UI Hardcoded Approval Mode Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-09-praisonai-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35643"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-35643","rce","android"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.3.22 are susceptible to a critical vulnerability (CVE-2026-35643) stemming from an unvalidated WebView JavascriptInterface. This flaw enables attackers to inject arbitrary instructions and execute malicious code within the context of the Android application. The vulnerability arises because untrusted web pages can exploit the canvas bridge, a component responsible for communication between the WebView and the native Android code. Successful exploitation allows an attacker to gain control over the application\u0026rsquo;s resources and potentially the device itself. This is a severe risk for any application using OpenClaw, as it could lead to data theft, malware installation, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application utilizing a vulnerable version of OpenClaw (prior to 2026.3.22).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious web page containing JavaScript code designed to exploit the unvalidated WebView JavascriptInterface.\u003c/li\u003e\n\u003cli\u003eThe victim unknowingly navigates to the attacker-controlled web page, likely through social engineering or malicious advertising.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript code on the page interacts with the vulnerable canvas bridge within the OpenClaw WebView.\u003c/li\u003e\n\u003cli\u003eThe attacker injects arbitrary instructions through the canvas bridge, leveraging the lack of input validation.\u003c/li\u003e\n\u003cli\u003eThese injected instructions are then executed within the Android application context, bypassing security restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the application\u0026rsquo;s resources, such as user data or device functionalities.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code, potentially leading to data exfiltration, malware installation, or complete device compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-35643 in OpenClaw can lead to complete compromise of the Android application and potentially the device it is running on. This can result in data theft, unauthorized access to sensitive information, installation of malware, and other malicious activities. While the exact number of vulnerable applications is unknown, the widespread use of OpenClaw could potentially affect a large number of users. The vulnerability is particularly dangerous because it can be exploited remotely through a simple web page, making it easily accessible to attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.22 or later to patch CVE-2026-35643, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all data received through the WebView JavascriptInterface to prevent arbitrary code injection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect attempts to exploit the canvas bridge within OpenClaw (see \u0026ldquo;Detect Suspicious WebView Bridge Usage\u0026rdquo; rule).\u003c/li\u003e\n\u003cli\u003eMonitor web traffic for access to untrusted URLs from applications utilizing OpenClaw to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T17:17:04Z","date_published":"2026-04-10T17:17:04Z","id":"/briefs/2026-04-openclaw-webview-rce/","summary":"OpenClaw before 2026.3.22 is vulnerable to arbitrary code execution due to an unvalidated WebView JavascriptInterface, allowing attackers to inject malicious instructions by invoking the canvas bridge from untrusted pages.","title":"OpenClaw WebView JavascriptInterface Vulnerability (CVE-2026-35643)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-webview-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5989"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["tenda","router","buffer_overflow","rce"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, identified as CVE-2026-5989, affects the Tenda F451 router, specifically version 1.0.0.7. The vulnerability lies within the \u003ccode\u003efromRouteStatic\u003c/code\u003e function of the \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e file. By manipulating the \u003ccode\u003epage\u003c/code\u003e argument, a remote attacker can trigger a stack-based buffer overflow, potentially leading to arbitrary code execution. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat as it allows unauthenticated remote attackers to compromise the router, potentially leading to network disruption, data theft, or use of the device in botnet activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda F451 router (version 1.0.0.7) exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003epage\u003c/code\u003e argument with a payload designed to overflow the stack buffer in the \u003ccode\u003efromRouteStatic\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003efromRouteStatic\u003c/code\u003e function processes the malicious \u003ccode\u003epage\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites critical data on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eUpon function return, control is redirected to the attacker-controlled memory region.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code injected into the overflowed buffer, such as downloading and executing a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the router, potentially allowing further exploitation or network compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5989 allows an attacker to gain complete control of the Tenda F451 router. This can lead to a variety of damaging outcomes, including denial-of-service attacks against the local network, interception of network traffic, modification of router settings, and the potential use of the compromised router as a node in a botnet. Given the widespread use of Tenda routers in home and small business environments, a large number of devices could be at risk if this vulnerability is actively exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e containing abnormally long \u003ccode\u003epage\u003c/code\u003e arguments, as this is indicative of potential exploit attempts. Deploy the Sigma rule \u003ccode\u003eDetect Tenda F451 Exploit Attempt\u003c/code\u003e to detect these malicious requests.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on requests to the \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e endpoint to mitigate potential denial-of-service attacks.\u003c/li\u003e\n\u003cli\u003eSince there is no patch available, consider replacing vulnerable Tenda F451 routers with more secure devices from other vendors.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T00:16:36Z","date_published":"2026-04-10T00:16:36Z","id":"/briefs/2026-04-tenda-rce/","summary":"A stack-based buffer overflow vulnerability in the Tenda F451 router (version 1.0.0.7) allows remote attackers to execute arbitrary code by manipulating the 'page' argument in the fromRouteStatic function of the /goform/RouteStatic file.","title":"Tenda F451 Router Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["rce","environment-variable-injection","openclaw"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw, a user-controlled local assistant, is vulnerable to a remote code execution (RCE) issue affecting versions prior to 2026.4.8. The vulnerability, identified as GHSA-cm8v-2vh9-cxf3, stems from missing denylist entries for environment variables that influence build tools. Specifically, HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS were not properly sanitized, allowing a malicious actor to inject arbitrary commands into the build process. This can lead to the execution of untrusted code on the host system. The vulnerability was reported by @boy-hack of Tencent zhuque Lab. The fix is available in version 2026.4.8 and commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable OpenClaw instance running a version prior to 2026.4.8.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious environment variables, such as HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, or MAKEFLAGS, containing shell commands.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a build process within OpenClaw that utilizes the affected environment variables. This could involve providing a specific input or interacting with OpenClaw in a way that initiates a build operation.\u003c/li\u003e\n\u003cli\u003eDue to the missing denylist, OpenClaw does not sanitize the malicious environment variables.\u003c/li\u003e\n\u003cli\u003eThe build tool, influenced by the attacker-controlled environment variables, executes the injected shell commands.\u003c/li\u003e\n\u003cli\u003eThe injected commands execute with the privileges of the OpenClaw process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform actions such as installing malware, exfiltrating data, or compromising other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the system running OpenClaw. This could lead to complete system compromise, including data theft, malware installation, and further lateral movement within the network. Given OpenClaw\u0026rsquo;s nature as a user-controlled local assistant, the impact is primarily on individual user systems. However, in environments where OpenClaw is deployed more broadly, the vulnerability could be leveraged to compromise multiple machines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.8 or later to patch the vulnerability (see \u0026ldquo;Affected Packages / Versions\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unexpected processes spawned by OpenClaw or its build tool subprocesses (see rules below).\u003c/li\u003e\n\u003cli\u003eImplement additional input validation and sanitization measures to prevent environment variable injection in other applications.\u003c/li\u003e\n\u003cli\u003eReview and harden build processes to limit the influence of environment variables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T14:22:29Z","date_published":"2026-04-09T14:22:29Z","id":"/briefs/2024-01-09-openclaw-rce/","summary":"OpenClaw versions prior to 2026.4.8 are vulnerable to remote code execution (RCE) via build tool environment variable injection due to missing denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS, allowing hostile environment variables to influence host exec commands.","title":"OpenClaw RCE via Build Tool Environment Variable Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-09-openclaw-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2024-1490"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2024-1490","wago-plc","openvpn","rce","code-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2024-1490 describes a critical vulnerability affecting WAGO Programmable Logic Controllers (PLCs). A remote attacker with existing high-privilege access to the PLC\u0026rsquo;s web-based management interface can exploit the OpenVPN configuration. The vulnerability stems from insufficient input validation within the OpenVPN configuration settings. If the PLC\u0026rsquo;s OpenVPN setup permits user-defined scripts, a malicious actor can inject arbitrary shell commands. Successful exploitation allows the attacker to execute arbitrary code on the underlying operating system of the WAGO PLC, potentially leading to full device compromise. This vulnerability was reported by CERT VDE and impacts WAGO PLCs that utilize a vulnerable web-based management interface and permit user-defined scripts in their OpenVPN configuration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial high-privilege access to the WAGO PLC\u0026rsquo;s web-based management interface.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the OpenVPN configuration section within the management interface.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies that the OpenVPN configuration allows for user-defined scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious OpenVPN configuration file or injects malicious commands via existing configuration options. This configuration contains embedded shell commands designed for execution on the PLC.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or applies the modified OpenVPN configuration to the WAGO PLC through the web interface.\u003c/li\u003e\n\u003cli\u003eThe WAGO PLC processes the OpenVPN configuration, leading to the execution of the attacker-supplied shell commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the underlying operating system of the WAGO PLC.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use this initial foothold to perform further actions, such as deploying malware, exfiltrating sensitive information, or disrupting industrial processes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-1490 allows an attacker to execute arbitrary code on a WAGO PLC. This can lead to complete compromise of the device, potentially affecting the industrial processes it controls. An attacker could disrupt operations, manipulate data, or use the compromised PLC as a pivot point for further attacks within the industrial network. The severity of the impact depends on the role of the compromised PLC within the industrial environment, potentially leading to significant financial losses, safety incidents, or reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRestrict access to the WAGO PLC\u0026rsquo;s web-based management interface by enforcing strong authentication and authorization mechanisms to prevent unauthorized access (refer to CVE-2024-1490).\u003c/li\u003e\n\u003cli\u003eDisable or restrict the use of user-defined scripts within the OpenVPN configuration to mitigate the risk of command injection (refer to CVE-2024-1490).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to OpenVPN configuration changes, looking for unusual POST requests or configuration parameters (see \u0026ldquo;rules\u0026rdquo; section below).\u003c/li\u003e\n\u003cli\u003eImplement regular security audits of WAGO PLC configurations, focusing on OpenVPN settings and user-defined scripts (refer to CVE-2024-1490).\u003c/li\u003e\n\u003cli\u003eReview and apply the security recommendations provided by CERT VDE in their advisory, available at \u003ca href=\"https://certvde.com/de/advisories/VDE-2024-008\"\u003ehttps://certvde.com/de/advisories/VDE-2024-008\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T11:16:19Z","date_published":"2026-04-09T11:16:19Z","id":"/briefs/2026-04-wago-plc-openvpn-rce/","summary":"An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC to achieve arbitrary command execution on the device.","title":"WAGO PLC OpenVPN Configuration Vulnerability (CVE-2024-1490)","url":"https://feed.craftedsignal.io/briefs/2026-04-wago-plc-openvpn-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","praisonai"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI versions prior to 4.5.121 are susceptible to OS command injection. The vulnerability stems from the application\u0026rsquo;s use of \u003ccode\u003esubprocess.run()\u003c/code\u003e with the \u003ccode\u003eshell=True\u003c/code\u003e parameter when executing commands derived from various user-controlled inputs. These inputs include YAML workflow definitions, agent configuration files (agents.yaml), LLM-generated tool call parameters, and recipe step configurations. This configuration allows an attacker to inject arbitrary shell commands through shell metacharacters, leading to potential remote code execution and system compromise. This vulnerability is particularly concerning in automated environments like CI/CD pipelines or agent workflows, where unintended command execution can occur without direct user awareness.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious YAML workflow definition or modifies an existing one, injecting shell metacharacters into the \u003ccode\u003etarget\u003c/code\u003e field of a \u003ccode\u003eshell\u003c/code\u003e step.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the \u003ccode\u003eagents.yaml\u003c/code\u003e file, injecting malicious commands into the \u003ccode\u003eshell_command\u003c/code\u003e field of an agent task.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the crafted YAML workflow or loads the modified \u003ccode\u003eagents.yaml\u003c/code\u003e file using PraisonAI\u0026rsquo;s command-line interface.\u003c/li\u003e\n\u003cli\u003ePraisonAI parses the YAML file and extracts the attacker-controlled command string.\u003c/li\u003e\n\u003cli\u003eThe application then passes this command string to \u003ccode\u003esubprocess.run()\u003c/code\u003e with \u003ccode\u003eshell=True\u003c/code\u003e, allowing the shell to interpret the injected metacharacters.\u003c/li\u003e\n\u003cli\u003eThe shell executes the attacker\u0026rsquo;s injected commands, potentially performing actions like reading sensitive files, exfiltrating data, or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eIf using agent mode, an attacker can influence the LLM\u0026rsquo;s context to generate malicious tool calls including shell commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution with the privileges of the PraisonAI process, leading to system compromise or data breach.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary shell commands on the affected system. This can lead to a variety of negative consequences, including unauthorized access to sensitive data (such as configuration files, credentials, or user data), modification or deletion of system files, and potentially full system compromise. In automated environments like CI/CD pipelines, this vulnerability could allow an attacker to inject malicious code into software builds, leading to supply chain attacks. The vulnerability affects versions of PraisonAI prior to 4.5.121.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PraisonAI Command Injection via Workflow\u0026rdquo; to identify attempts to exploit this vulnerability through malicious YAML workflow definitions (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PraisonAI Command Injection via Agent Configuration\u0026rdquo; to identify attempts to exploit this vulnerability through malicious agent configurations (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eBlock the C2 domain \u003ccode\u003eattacker.com\u003c/code\u003e listed in the IOC table at the DNS resolver to prevent data exfiltration and command-and-control communication (type: \u003ccode\u003edomain\u003c/code\u003e, value: \u003ccode\u003eattacker.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eUpgrade PraisonAI to version 4.5.121 or later to patch this vulnerability (Affected Packages).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T21:52:10Z","date_published":"2026-04-08T21:52:10Z","id":"/briefs/2024-02-29-praisonai-command-injection/","summary":"PraisonAI is vulnerable to OS command injection due to the use of `subprocess.run()` with `shell=True` on user-controlled inputs, allowing attackers to inject arbitrary shell commands and potentially leading to sensitive data exfiltration or system compromise in versions prior to 4.5.121.","title":"PraisonAI Vulnerable to OS Command Injection","url":"https://feed.craftedsignal.io/briefs/2024-02-29-praisonai-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-32590"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-32590","redhat-quay","deserialization","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRed Hat Quay is vulnerable to a critical deserialization flaw, identified as CVE-2026-32590. This vulnerability resides in the handling of resumable container image layer uploads. Specifically, the way Quay stores intermediate data in its database during the upload process is susceptible to tampering. An attacker with the ability to manipulate this stored data can leverage this vulnerability to inject malicious serialized objects. When Quay attempts to deserialize this tampered data, it leads to arbitrary code execution within the Quay server\u0026rsquo;s context. This poses a significant risk to the integrity and confidentiality of the container registry. The vulnerability was reported on April 8, 2026, and affects deployments of Red Hat Quay that have not been patched. Successful exploitation allows attackers to gain full control over the Quay server, potentially leading to data breaches, service disruption, and supply chain compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to the Quay server\u0026rsquo;s database or the mechanism used to store intermediate data during resumable uploads, potentially through SQL injection or other database vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts a container image layer upload request to the Quay server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing a serialized object designed to execute arbitrary code upon deserialization.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into the intermediate data stored in the database associated with the targeted resumable upload.\u003c/li\u003e\n\u003cli\u003eThe Quay server, during the process of resuming the upload, retrieves the tampered intermediate data from the database.\u003c/li\u003e\n\u003cli\u003eThe Quay server attempts to deserialize the data, triggering the execution of the malicious code embedded within the crafted serialized object.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the Quay server with the privileges of the Quay application.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained access to compromise the entire Quay registry, potentially exfiltrating sensitive data, injecting malicious images, or disrupting the service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32590 allows for arbitrary code execution on the Red Hat Quay server. This can lead to a complete compromise of the container registry, potentially affecting all container images stored within. Depending on the Quay server\u0026rsquo;s configuration and connected systems, this could lead to further lateral movement within the network and compromise of other critical infrastructure. The severity is rated as HIGH with a CVSS score of 7.1, indicating a significant risk. If exploited, organizations could face data breaches, supply chain attacks through compromised container images, and prolonged service outages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a fixed version of Red Hat Quay as recommended by Red Hat to address CVE-2026-32590.\u003c/li\u003e\n\u003cli\u003eImplement database access controls to restrict unauthorized access and modification of the Quay database to prevent tampering with intermediate data.\u003c/li\u003e\n\u003cli\u003eDeploy a Web Application Firewall (WAF) to inspect and filter potentially malicious payloads in container image layer upload requests to mitigate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable robust logging and monitoring of database access and deserialization operations within the Quay server to detect suspicious activities related to this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eDetect Quay Deserialization Attempt\u003c/code\u003e to identify potential exploitation attempts based on process execution and network connections.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T18:25:59Z","date_published":"2026-04-08T18:25:59Z","id":"/briefs/2026-04-redhat-quay-rce/","summary":"CVE-2026-32590 describes a deserialization vulnerability in Red Hat Quay's handling of resumable container image layer uploads, potentially allowing an attacker to execute arbitrary code on the Quay server by tampering with intermediate data stored in the database.","title":"Red Hat Quay Deserialization Vulnerability Leads to Remote Code Execution (CVE-2026-32590)","url":"https://feed.craftedsignal.io/briefs/2026-04-redhat-quay-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xwiki","rce","velocity","scripting","CVE-2026-33229"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eXWiki versions before 17.4.8 and 17.10.1 are susceptible to remote code execution (RCE) due to an improperly protected Velocity scripting API. This vulnerability, identified as CVE-2026-33229, allows users with existing script rights to bypass the intended sandboxing mechanisms of the Velocity scripting API. By exploiting this flaw, attackers can execute arbitrary code, including potentially malicious Python scripts, on the XWiki instance. This vulnerability allows an attacker to gain complete control over the XWiki instance, compromising the confidentiality, integrity, and availability of the system and its data. The issue has been addressed in XWiki versions 17.4.8 and 17.10.1 by enforcing a requirement for programming rights to access the vulnerable API.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains script rights within the XWiki instance, either through compromised credentials or misconfigured permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request leveraging the unprotected Velocity scripting API.\u003c/li\u003e\n\u003cli\u003eThis request bypasses the intended sandboxing of the Velocity scripting engine.\u003c/li\u003e\n\u003cli\u003eThe attacker injects arbitrary code, such as a Python script, into the Velocity template.\u003c/li\u003e\n\u003cli\u003eThe Velocity engine executes the injected code on the XWiki server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution privileges on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to install a web shell.\u003c/li\u003e\n\u003cli\u003eUsing the web shell, the attacker gains complete control over the XWiki instance, enabling data theft, modification, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants attackers complete control over the XWiki instance. This can lead to the theft of sensitive data stored within the XWiki, unauthorized modification of existing data, or a complete denial of service. While the exact number of potential victims is unknown, any XWiki instance running a vulnerable version is at risk, particularly those where script rights are broadly assigned. This vulnerability has the potential to severely impact organizations relying on XWiki for critical business functions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade XWiki instances to version 17.4.8 or 17.10.1 or later to patch CVE-2026-33229.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious XWiki Velocity Scripting API Usage\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and restrict script rights assignments within XWiki to minimize the attack surface, as mentioned in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T15:00:17Z","date_published":"2026-04-08T15:00:17Z","id":"/briefs/2026-04-xwiki-rce/","summary":"XWiki is vulnerable to remote code execution due to an improperly protected scripting API, allowing users with script rights to bypass the Velocity scripting API sandbox and execute arbitrary code, leading to full instance compromise.","title":"XWiki Remote Code Execution via Unprotected Velocity Scripting API","url":"https://feed.craftedsignal.io/briefs/2026-04-xwiki-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-34197"},{"cvss":8.5,"id":"CVE-2024-32114"},{"cvss":8.8,"id":"CVE-2022-41678"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["activemq","rce","jolokia","cve-2026-34197","cve-2024-32114","cve-2022-41678","spring-xml"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA remote code execution vulnerability, CVE-2026-34197, has been identified in Apache ActiveMQ Classic, an open-source messaging and Integration Patterns server widely used across industries. This vulnerability, present for 13 years, allows attackers to invoke management operations through the Jolokia API and instruct the broker to retrieve a remote configuration file, leading to OS command execution. This is achieved by bypassing CVE-2022-41678, a previous bug that allowed webshell creation. Additionally, CVE-2024-32114 exposes the Jolokia API to unauthenticated users in ActiveMQ versions 6.0.0 through 6.1.1, enabling potential RCE without authentication. The vulnerability affects ActiveMQ Classic deployments and was addressed in versions 5.19.4 and 6.2.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an Apache ActiveMQ Classic instance running a vulnerable version (prior to 5.19.4 or 6.2.3).\u003c/li\u003e\n\u003cli\u003eIf the instance is running ActiveMQ 6.0.0 through 6.1.1, the attacker leverages CVE-2024-32114 to access the Jolokia API without authentication. Otherwise, the attacker authenticates to the ActiveMQ instance.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes management operations through the Jolokia API to target ActiveMQ\u0026rsquo;s VM transport feature.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a VM transport URI referencing a non-existent broker.\u003c/li\u003e\n\u003cli\u003eActiveMQ creates the broker and accepts a parameter instructing it to load a configuration from a URL controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker hosts a malicious Spring XML configuration file on a remote server.\u003c/li\u003e\n\u003cli\u003eThe ActiveMQ broker retrieves and processes the malicious Spring XML configuration file.\u003c/li\u003e\n\u003cli\u003eThe Spring XML file instantiates bean definitions that execute arbitrary OS commands, achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to complete compromise of the ActiveMQ server, potentially impacting numerous industries relying on this messaging middleware. Attackers could gain unauthorized access to sensitive data, disrupt message queues, and pivot to other systems within the network. The scope of the impact depends on the ActiveMQ deployment and the attacker\u0026rsquo;s objectives. Unauthenticated exploitation via CVE-2024-32114 significantly broadens the attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Apache ActiveMQ Classic to versions 5.19.4 or 6.2.3 or later to address CVE-2026-34197.\u003c/li\u003e\n\u003cli\u003eFor ActiveMQ versions 6.0.0 through 6.1.1, verify the configuration and security constraints to ensure the Jolokia API is not exposed without authentication, mitigating CVE-2024-32114.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;ActiveMQ Jolokia API Access\u0026rdquo; to monitor for unauthorized access attempts to the Jolokia API.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius in case of a successful compromise.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious processes spawned by the ActiveMQ Java process, leveraging the \u0026ldquo;ActiveMQ Suspicious Process Creation\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T14:30:27Z","date_published":"2026-04-08T14:30:27Z","id":"/briefs/2026-04-activemq-rce/","summary":"A remote code execution vulnerability (CVE-2026-34197) in Apache ActiveMQ Classic allows authenticated attackers to invoke management operations through the Jolokia API to retrieve a remote configuration file and execute OS commands, potentially exploitable without authentication via CVE-2024-32114.","title":"Apache ActiveMQ Classic RCE via Jolokia API Exploitation","url":"https://feed.craftedsignal.io/briefs/2026-04-activemq-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-3296"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","php","object-injection","rce","cve-2026-3296"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Everest Forms plugin for WordPress, a widely used form builder, contains a critical PHP Object Injection vulnerability (CVE-2026-3296) affecting versions up to and including 3.4.3. This vulnerability stems from the insecure deserialization of user-supplied data within the \u003ccode\u003ehtml-admin-page-entries-view.php\u003c/code\u003e file. Specifically, the plugin uses PHP\u0026rsquo;s \u003ccode\u003eunserialize()\u003c/code\u003e function on form entry metadata stored in the \u003ccode\u003ewp_evf_entrymeta\u003c/code\u003e table without specifying allowed classes, creating an exploitable condition. An unauthenticated attacker can inject malicious serialized PHP objects through any public form field. The \u003ccode\u003esanitize_text_field()\u003c/code\u003e function fails to prevent these attacks because it doesn\u0026rsquo;t strip serialization control characters. This allows attackers to execute arbitrary PHP code on the WordPress server when an administrator views form entries. This vulnerability poses a significant risk to WordPress sites using the Everest Forms plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker submits a malicious serialized PHP object through a public Everest Forms form field.\u003c/li\u003e\n\u003cli\u003eThe submitted payload bypasses the \u003ccode\u003esanitize_text_field()\u003c/code\u003e function due to the function\u0026rsquo;s failure to remove serialization control characters.\u003c/li\u003e\n\u003cli\u003eThe crafted serialized object is stored in the \u003ccode\u003ewp_evf_entrymeta\u003c/code\u003e database table associated with the form entry.\u003c/li\u003e\n\u003cli\u003eAn administrator accesses the WordPress administration panel and navigates to the Everest Forms entries section.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehtml-admin-page-entries-view.php\u003c/code\u003e file is executed to display form entries and their associated metadata.\u003c/li\u003e\n\u003cli\u003eThe plugin retrieves the stored serialized object from the \u003ccode\u003ewp_evf_entrymeta\u003c/code\u003e table.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunserialize()\u003c/code\u003e function is called on the retrieved data \u003cem\u003ewithout\u003c/em\u003e the \u003ccode\u003eallowed_classes\u003c/code\u003e parameter, triggering PHP Object Injection.\u003c/li\u003e\n\u003cli\u003eThe injected PHP object is instantiated, leading to arbitrary PHP code execution on the server, potentially granting the attacker complete control over the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-3296) can lead to complete compromise of the WordPress website. An attacker can gain remote code execution, allowing them to inject malware, deface the site, steal sensitive data (including user credentials and financial information), or use the compromised server as part of a botnet. Given the widespread use of the Everest Forms plugin, a large number of WordPress sites are potentially vulnerable. The CVSS v3.1 base score of 9.8 reflects the critical severity of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Everest Forms plugin to the latest version (greater than 3.4.3) to patch CVE-2026-3296.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious unserialize Call in Everest Forms\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to WordPress form submission endpoints containing serialized PHP objects, as detected by the \u003ccode\u003eDetect Suspicious Form Submission with Serialized Data\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to block requests containing serialized PHP objects in form submission data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T02:16:04Z","date_published":"2026-04-08T02:16:04Z","id":"/briefs/2026-04-everest-forms-rce/","summary":"The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection (CVE-2026-3296) in versions up to 3.4.3, allowing unauthenticated attackers to execute arbitrary code by injecting serialized PHP objects via form fields.","title":"Everest Forms WordPress Plugin PHP Object Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-everest-forms-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-3357"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-3357","deserialization","rce","langflow"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eIBM Langflow Desktop, a low-code platform designed to build custom LLM applications, is susceptible to a critical vulnerability (CVE-2026-3357) affecting versions 1.6.0 through 1.8.2. The flaw stems from an insecure default setting within the FAISS (Facebook AI Similarity Search) component, which permits the deserialization of untrusted data. This vulnerability allows an authenticated user to execute arbitrary code on the host system. Successful exploitation grants the attacker full control over the Langflow Desktop instance and potentially the underlying system. Due to the ease of exploitation, especially for authenticated users, defenders must prioritize patching or mitigating this issue to prevent potential breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user logs into the vulnerable IBM Langflow Desktop application (versions 1.6.0 through 1.8.2).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious serialized data designed to exploit the insecure deserialization vulnerability in the FAISS component.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious serialized data into the Langflow application, potentially through a manipulated API request or a crafted workflow file.\u003c/li\u003e\n\u003cli\u003eLangflow Desktop processes the malicious data using the vulnerable FAISS component.\u003c/li\u003e\n\u003cli\u003eThe FAISS component deserializes the untrusted data without proper validation.\u003c/li\u003e\n\u003cli\u003eDuring deserialization, the malicious payload is executed, leading to arbitrary code execution within the context of the Langflow Desktop application.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the Langflow Desktop application.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to escalate privileges, install malware, or exfiltrate sensitive data from the affected system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3357 allows an attacker to execute arbitrary code on the system running IBM Langflow Desktop. This could lead to complete system compromise, including data theft, malware installation, and denial of service. Given the low complexity and the ability to exploit it with authentication, this vulnerability poses a significant risk to organizations using the affected versions of Langflow Desktop. The impact is amplified if the Langflow Desktop instance has access to sensitive data or critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade IBM Langflow Desktop to a patched version that addresses CVE-2026-3357. Refer to IBM\u0026rsquo;s security advisory (\u003ca href=\"https://www.ibm.com/support/pages/node/7268428\"\u003ehttps://www.ibm.com/support/pages/node/7268428\u003c/a\u003e) for specific upgrade instructions.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent the deserialization of untrusted data.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity related to Langflow Desktop, such as unexpected API calls or data transfers.\u003c/li\u003e\n\u003cli\u003eEnable logging for Langflow Desktop and related components, and analyze logs for signs of exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy a web application firewall (WAF) with rules to detect and block attempts to exploit deserialization vulnerabilities in web applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T01:16:41Z","date_published":"2026-04-08T01:16:41Z","id":"/briefs/2026-04-langflow-rce/","summary":"IBM Langflow Desktop versions 1.6.0 through 1.8.2 is vulnerable to arbitrary code execution due to insecure deserialization of untrusted data, allowing an authenticated user to execute code on the system.","title":"IBM Langflow Desktop Deserialization RCE (CVE-2026-3357)","url":"https://feed.craftedsignal.io/briefs/2026-04-langflow-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-32862"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-32862","ni-labview","memory-corruption","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical memory corruption vulnerability, identified as CVE-2026-32862, exists within NI LabVIEW\u0026rsquo;s ResFileFactory::InitResourceMgr() function. This out-of-bounds write vulnerability can be exploited to achieve both information disclosure and arbitrary code execution on affected systems. The attack vector involves enticing a user to open a specially crafted VI (Virtual Instrument) file within LabVIEW. Successful exploitation of this vulnerability could allow an attacker to compromise the confidentiality, integrity, and availability of the system. The scope of this vulnerability is limited to NI LabVIEW versions 2026 Q1 (26.1.0) and all prior versions. Defenders should prioritize applying the patch provided by National Instruments to mitigate the risk posed by this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious LabVIEW VI file (.vi) containing a payload designed to trigger the out-of-bounds write in \u003ccode\u003eResFileFactory::InitResourceMgr()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious VI file to a target user, potentially through social engineering or other means.\u003c/li\u003e\n\u003cli\u003eThe user opens the malicious VI file within a vulnerable version of NI LabVIEW (2026 Q1 (26.1.0) or prior).\u003c/li\u003e\n\u003cli\u003eLabVIEW attempts to parse the resource data within the VI file, leading to the execution of the \u003ccode\u003eResFileFactory::InitResourceMgr()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe crafted payload triggers the out-of-bounds write vulnerability in \u003ccode\u003eResFileFactory::InitResourceMgr()\u003c/code\u003e, corrupting memory.\u003c/li\u003e\n\u003cli\u003eDepending on the payload, this memory corruption can lead to either information disclosure (reading sensitive data from memory) or arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eIf the attacker achieves code execution, they can gain control of the LabVIEW process.\u003c/li\u003e\n\u003cli\u003eThe attacker can then leverage the compromised LabVIEW process to perform further actions, such as installing malware, exfiltrating data, or disrupting system operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32862 allows an attacker to achieve arbitrary code execution or information disclosure on systems running vulnerable versions of NI LabVIEW. The impact of this vulnerability is significant, as it can lead to complete system compromise, data theft, and disruption of critical processes controlled by LabVIEW. The vulnerability is especially concerning for organizations that rely on LabVIEW for critical infrastructure, manufacturing, and research applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch provided by National Instruments to address CVE-2026-32862 in NI LabVIEW versions 2026 Q1 (26.1.0) and prior.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious LabVIEW File Opening\u003c/code\u003e to identify potential exploitation attempts by monitoring process creation events related to LabVIEW and VI file opening.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of opening VI files from untrusted sources to prevent social engineering attacks.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring and logging (e.g., Sysmon) to capture detailed information about process execution and file access for forensic analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T20:16:24Z","date_published":"2026-04-07T20:16:24Z","id":"/briefs/2026-04-ni-labview-rce/","summary":"A memory corruption vulnerability (CVE-2026-32862) in NI LabVIEW versions 2026 Q1 (26.1.0) and prior, stemming from an out-of-bounds write in ResFileFactory::InitResourceMgr(), can lead to information disclosure or arbitrary code execution if a user opens a malicious VI file.","title":"NI LabVIEW Memory Corruption Vulnerability (CVE-2026-32862)","url":"https://feed.craftedsignal.io/briefs/2026-04-ni-labview-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":10,"id":"CVE-2026-39337"},{"cvss":10,"id":"CVE-2025-62521"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rce","cve-2026-39337","churchcrm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChurchCRM, an open-source church management system, is vulnerable to a critical pre-authentication remote code execution (RCE) flaw, identified as CVE-2026-39337. This vulnerability affects versions prior to 7.1.0. Unauthenticated attackers can exploit the setup wizard during the initial installation process to inject arbitrary PHP code, leading to complete server compromise. The root cause lies in the insufficient sanitization of the \u0026ldquo;$dbPassword\u0026rdquo; variable. This vulnerability is a result of an incomplete fix for a previous vulnerability, CVE-2025-62521. Organizations using vulnerable versions of ChurchCRM are at risk of unauthorized access, data breaches, and complete system takeover. Upgrading to version 7.1.0 or later is strongly advised to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a malicious HTTP request to the ChurchCRM setup wizard.\u003c/li\u003e\n\u003cli\u003eThe malicious request injects arbitrary PHP code into the \u003ccode\u003e$dbPassword\u003c/code\u003e variable during the setup process.\u003c/li\u003e\n\u003cli\u003eDue to insufficient sanitization, the injected PHP code is written to the ChurchCRM configuration file.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the configuration file, executing the injected PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the web server.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain full control of the server.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a persistent backdoor for continued access.\u003c/li\u003e\n\u003cli\u003eThe attacker may then exfiltrate sensitive data or deploy ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39337 allows an unauthenticated attacker to achieve complete server compromise. This could result in the theft of sensitive church member data, modification or destruction of data, defacement of the ChurchCRM website, or use of the server as a platform for launching further attacks. Given the critical nature of the vulnerability and the ease of exploitation, organizations are at high risk. The number of potential victims is high considering the wide usage of this CRM.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade ChurchCRM to version 7.1.0 or later to patch CVE-2026-39337.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the ChurchCRM setup wizard. Deploy a Sigma rule to detect suspicious POST requests to the install endpoint.\u003c/li\u003e\n\u003cli\u003eImplement strong input validation and sanitization for all user-supplied data, especially during the installation process.\u003c/li\u003e\n\u003cli\u003eReview and harden the web server configuration to prevent unauthorized code execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T18:16:45Z","date_published":"2026-04-07T18:16:45Z","id":"/briefs/2026-04-churchcrm-rce/","summary":"A critical pre-authentication remote code execution vulnerability in ChurchCRM versions prior to 7.1.0 allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise.","title":"ChurchCRM Pre-Authentication Remote Code Execution Vulnerability (CVE-2026-39337)","url":"https://feed.craftedsignal.io/briefs/2026-04-churchcrm-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-35573"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","rce","churchcrm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChurchCRM, an open-source church management system, is vulnerable to a path traversal attack affecting versions prior to 6.5.3. This vulnerability resides in the backup restore functionality, specifically within \u003ccode\u003esrc/ChurchCRM/Backup/RestoreJob.php\u003c/code\u003e. Authenticated administrators can exploit this flaw by manipulating the \u003ccode\u003e$rawUploadedFile['name']\u003c/code\u003e parameter, which lacks proper sanitization. This allows for the upload of arbitrary files with attacker-controlled names to the \u003ccode\u003e/var/www/html/tmp_attach/ChurchCRMBackups/\u003c/code\u003e directory. Successful exploitation leads to remote code execution via overwriting Apache\u0026rsquo;s \u003ccode\u003e.htaccess\u003c/code\u003e configuration files, effectively compromising the web server. Organizations using vulnerable versions of ChurchCRM are at risk of unauthorized access and control of their systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated administrator logs into the ChurchCRM application.\u003c/li\u003e\n\u003cli\u003eThe administrator navigates to the backup restore functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious backup archive containing a crafted \u003ccode\u003e.htaccess\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious backup archive via the restore functionality, exploiting the path traversal vulnerability in \u003ccode\u003esrc/ChurchCRM/Backup/RestoreJob.php\u003c/code\u003e. The \u003ccode\u003e$rawUploadedFile['name']\u003c/code\u003e parameter is manipulated to control the file\u0026rsquo;s destination.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003e.htaccess\u003c/code\u003e file is written to the web server\u0026rsquo;s document root or a sensitive directory, such as \u003ccode\u003e/var/www/html/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe overwritten \u003ccode\u003e.htaccess\u003c/code\u003e file modifies the Apache web server\u0026rsquo;s configuration, potentially enabling PHP execution for arbitrary file types or redirecting requests to attacker-controlled scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses a file (e.g., an image or text file) which is now parsed as PHP code due to the malicious \u003ccode\u003e.htaccess\u003c/code\u003e configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the server, gaining remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to gain complete control of the ChurchCRM web server. This can lead to data breaches, defacement of the website, and the potential to use the compromised server as a launchpad for further attacks within the network. Given the sensitive nature of data often stored in ChurchCRM systems (e.g., personal contact information, financial records), the compromise can have severe consequences for both the organization and its members. While the exact number of vulnerable installations is unknown, the widespread use of ChurchCRM makes this a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ChurchCRM to version 6.5.3 or later to patch the vulnerability described in CVE-2026-35573.\u003c/li\u003e\n\u003cli\u003eImplement strict file upload validation and sanitization to prevent path traversal vulnerabilities in other web applications.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file uploads to \u003ccode\u003e/var/www/html/tmp_attach/ChurchCRMBackups/\u003c/code\u003e directory, looking for unexpected file extensions using the \u0026ldquo;ChurchCRM Suspicious File Upload\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;ChurchCRM .htaccess File Creation\u0026rdquo; Sigma rule to detect the creation of .htaccess files in web directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T18:16:41Z","date_published":"2026-04-07T18:16:41Z","id":"/briefs/2026-04-churchcrm-traversal/","summary":"A path traversal vulnerability in ChurchCRM versions prior to 6.5.3 allows authenticated administrators to upload arbitrary files, leading to remote code execution by overwriting Apache .htaccess files.","title":"ChurchCRM Path Traversal Vulnerability Leading to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-churchcrm-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-23696"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sql-injection","rce","windmill"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWindmill CE and EE, versions 1.276.0 through 1.603.2, are susceptible to an SQL injection vulnerability (CVE-2026-23696) affecting the folder ownership management functionality. An authenticated attacker can exploit this flaw by injecting SQL code via the \u003ccode\u003eowner\u003c/code\u003e parameter. Successful exploitation allows the attacker to read sensitive information, including the JWT signing secret and administrative user identifiers. This access enables them to forge administrative tokens, ultimately leading to arbitrary code execution through the workflow execution endpoints. This vulnerability poses a significant risk to organizations using affected versions of Windmill, potentially leading to data breaches and system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Windmill CE/EE instance.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the folder ownership management section.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to modify folder ownership, injecting SQL code into the \u003ccode\u003eowner\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, passing the malicious SQL query to the database.\u003c/li\u003e\n\u003cli\u003eThe SQL injection allows the attacker to extract sensitive information from the database, such as the JWT signing secret and administrative user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted JWT signing secret to forge an administrative token.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the forged administrative token to authenticate to the workflow execution endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the server via the workflow execution endpoint, achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-23696 can lead to complete compromise of the Windmill CE/EE instance. An attacker can gain unauthorized access to sensitive data, including credentials and internal application secrets. They can also execute arbitrary code on the server, potentially leading to data breaches, system downtime, and further lateral movement within the network. This vulnerability affects all organizations using Windmill CE/EE versions 1.276.0 through 1.603.2, and can result in significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Windmill CE/EE to version 1.603.3 or later to patch CVE-2026-23696 as per the vendor\u0026rsquo;s release notes (\u003ca href=\"https://github.com/windmill-labs/windmill/releases/tag/v1.603.3\"\u003ehttps://github.com/windmill-labs/windmill/releases/tag/v1.603.3\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Windmill Folder Ownership Modification\u003c/code\u003e to identify potential SQL injection attempts within HTTP requests to the folder ownership management endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as SQL errors or unusual characters in the \u003ccode\u003eowner\u003c/code\u003e parameter of requests targeting the folder ownership management endpoint (webserver log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T17:16:27Z","date_published":"2026-04-07T17:16:27Z","id":"/briefs/2026-04-windmill-sqli/","summary":"Windmill CE/EE versions 1.276.0 through 1.603.2 are vulnerable to SQL injection in the folder ownership management, allowing authenticated attackers to inject SQL through the owner parameter, leading to sensitive data access, token forgery, and arbitrary code execution.","title":"Windmill CE/EE SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-windmill-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-35616"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["fortinet","forticlient","ems","rce","cve-2026-35616"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-35616, has been identified in Fortinet FortiClient EMS versions 7.4.5 through 7.4.6. This vulnerability allows unauthenticated attackers to bypass API authentication and authorization checks, enabling them to execute arbitrary code or commands on the EMS server. FortiClient EMS is a centralized platform used to deploy, configure, and monitor FortiClient agents across an organization, making it a high-value target. The vulnerability is being actively exploited in the wild. Successful exploitation can lead to full compromise of the EMS infrastructure, impacting all managed endpoints and potentially enabling lateral movement across enterprise networks. Defenders should prioritize patching and enhance monitoring capabilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable FortiClient EMS instance (versions 7.4.5 through 7.4.6) exposed on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP/API request targeting the unauthenticated API interface of the FortiClient EMS.\u003c/li\u003e\n\u003cli\u003eThe crafted request bypasses authentication and authorization checks due to improper access control (CWE-284).\u003c/li\u003e\n\u003cli\u003eThe bypassed access controls allow the attacker to execute unauthorized code or commands on the EMS server.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains control of administrative functionality on the FortiClient EMS server.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates or exfiltrates sensitive configuration and policy data stored on the EMS.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys malicious payloads to managed endpoints via the compromised EMS server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised EMS as a foothold for further network intrusion or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35616 can lead to a full compromise of the FortiClient EMS infrastructure. This includes the ability to manipulate or exfiltrate sensitive configuration and policy data, corrupt or disable endpoint protections, disrupt endpoint management services, and deploy malicious payloads to managed endpoints. The vulnerability enables lateral movement across enterprise networks. The CCB has confirmed that this vulnerability has been exploited in the wild.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest Fortinet patch for FortiClient EMS to remediate CVE-2026-35616 immediately.\u003c/li\u003e\n\u003cli\u003eUpscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion as recommended by the CCB.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting unauthorized API access to the FortiClient EMS webserver to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T15:08:28Z","date_published":"2026-04-07T15:08:28Z","id":"/briefs/2026-04-forticlient-ems-rce/","summary":"A critical vulnerability, CVE-2026-35616, exists in Fortinet FortiClient EMS (Endpoint Management Server) allowing unauthenticated attackers to bypass API authentication and authorization checks to execute arbitrary code or commands, potentially leading to full compromise of the EMS infrastructure.","title":"Fortinet FortiClient EMS Unauthenticated Remote Code Execution via CVE-2026-35616","url":"https://feed.craftedsignal.io/briefs/2026-04-forticlient-ems-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-22679"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["weaver","e-cology","rce","unauthenticated","cve-2026-22679"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWeaver (Fanwei) E-cology is susceptible to an unauthenticated remote code execution (RCE) vulnerability affecting version 10.0 prior to 20260312. The vulnerability exists in the \u003ccode\u003e/papi/esearch/data/devops/dubboApi/debug/method\u003c/code\u003e endpoint, stemming from exposed debug functionality. Exploitation allows unauthenticated attackers to execute arbitrary commands on the underlying system. The attack involves crafting malicious POST requests with attacker-controlled \u003ccode\u003einterfaceName\u003c/code\u003e and \u003ccode\u003emethodName\u003c/code\u003e parameters. Shadowserver Foundation observed initial exploitation attempts on 2026-03-31 (UTC). Due to the ease of exploitation and lack of authentication requirement, this vulnerability presents a significant risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Weaver E-cology 10.0 instance running a version prior to 20260312.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/papi/esearch/data/devops/dubboApi/debug/method\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003einterfaceName\u003c/code\u003e and \u003ccode\u003emethodName\u003c/code\u003e parameters, which are set to values designed to invoke command execution helpers.\u003c/li\u003e\n\u003cli\u003eThe server processes the request without authentication due to the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe application invokes the specified \u003ccode\u003emethodName\u003c/code\u003e within the \u003ccode\u003einterfaceName\u003c/code\u003e, leading to the execution of attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled code executes commands on the server, such as establishing a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the server.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots within the network, potentially leading to data exfiltration, system compromise, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary commands on the affected Weaver E-cology 10.0 server. This can lead to full system compromise, data exfiltration, and disruption of services. Given the critical nature of systems often managed by E-cology, this could have significant business impact, leading to financial losses, reputational damage, and legal liabilities. There is currently no public information on the number of victims or specific sectors targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all Weaver E-cology 10.0 installations to a version equal to or greater than 20260312 to patch CVE-2026-22679.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Weaver E-cology Dubbo API Exploitation Attempt\u0026rdquo; to detect exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/papi/esearch/data/devops/dubboApi/debug/method\u003c/code\u003e endpoint with suspicious \u003ccode\u003einterfaceName\u003c/code\u003e and \u003ccode\u003emethodName\u003c/code\u003e parameters (see logsource details in the Sigma rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T13:16:45Z","date_published":"2026-04-07T13:16:45Z","id":"/briefs/2024-01-weaver-rce/","summary":"Weaver E-cology 10.0 before 20260312 is vulnerable to unauthenticated remote code execution, allowing attackers to execute arbitrary commands by crafting a POST request to the /papi/esearch/data/devops/dubboApi/debug/method endpoint.","title":"Weaver E-cology Unauthenticated RCE via Dubbo API Debug Endpoint","url":"https://feed.craftedsignal.io/briefs/2024-01-weaver-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2025-65115"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2025-65115","rce","jp1","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-65115 is a critical remote code execution vulnerability present in a range of JP1/IT Desktop Management products running on Windows. This includes JP1/IT Desktop Management 2 - Manager, JP1/IT Desktop Management 2 - Operations Director, Job Management Partner 1/IT Desktop Management 2 - Manager, JP1/IT Desktop Management - Manager, Job Management Partner 1/IT Desktop Management - Manager, JP1/NETM/DM Manager, JP1/NETM/DM Client, Job Management Partner 1/Software Distribution Manager, and Job Management Partner 1/Software Distribution Client. The vulnerability impacts specific versions, with corrected versions identified as 13-50-02 and later for some products. Exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system, leading to complete system compromise. Defenders should prioritize patching vulnerable versions immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eWhile the specific exploitation method is not detailed, the following attack chain is inferred based on the nature of remote code execution vulnerabilities:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable JP1/IT Desktop Management instance running on a Windows server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious network request targeting a specific service or endpoint within the vulnerable application.\u003c/li\u003e\n\u003cli\u003eThis request leverages a flaw in the application\u0026rsquo;s handling of input data (e.g., buffer overflow, improper input validation).\u003c/li\u003e\n\u003cli\u003eThe malicious request triggers the execution of attacker-controlled code within the context of the JP1/IT Desktop Management process.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code gains initial access to the system, potentially with elevated privileges, depending on the service account the application is running under.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots within the compromised system, establishing persistence via techniques like creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt lateral movement to other systems within the network, leveraging stolen credentials or other exploits.\u003c/li\u003e\n\u003cli\u003eThe final objective could include data exfiltration, deployment of ransomware, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-65115 can lead to complete compromise of the affected Windows server. This could result in data breaches, service disruption, and potential lateral movement to other systems within the network. Given the nature of JP1/IT Desktop Management products, which are often used to manage and distribute software across an organization, a successful attack could have a widespread impact, affecting many endpoints within the managed environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all instances of JP1/IT Desktop Management products to the latest versions, specifically addressing the versions outlined in CVE-2025-65115.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity targeting JP1/IT Desktop Management servers (enable \u003ccode\u003enetwork_connection\u003c/code\u003e logging).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious JP1 ITDM Network Connection\u0026rdquo; to identify potentially malicious network connections related to JP1/IT Desktop Management.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to detect potentially malicious processes spawned by the JP1/IT Desktop Management application (enable \u003ccode\u003eprocess_creation\u003c/code\u003e logging).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Process Creation from JP1 ITDM\u0026rdquo; to identify potentially malicious processes spawned by the JP1/IT Desktop Management application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T06:16:40Z","date_published":"2026-04-07T06:16:40Z","id":"/briefs/2026-04-jp1-rce/","summary":"CVE-2025-65115 is a remote code execution vulnerability affecting multiple versions of JP1/IT Desktop Management and related products on Windows, potentially allowing attackers to execute arbitrary code on vulnerable systems.","title":"Remote Code Execution Vulnerability in JP1/IT Desktop Management Products (CVE-2025-65115)","url":"https://feed.craftedsignal.io/briefs/2026-04-jp1-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-0740"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","file-upload","rce","CVE-2026-0740"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Ninja Forms - File Uploads plugin for WordPress, specifically versions up to and including 3.3.26, contains an arbitrary file upload vulnerability (CVE-2026-0740). This flaw stems from a lack of proper file type validation within the \u003ccode\u003eNF_FU_AJAX_Controllers_Uploads::handle_upload\u003c/code\u003e function. An unauthenticated attacker can exploit this vulnerability to upload arbitrary files to the affected WordPress server. Successful exploitation could enable remote code execution, allowing the attacker to compromise the web server and potentially the underlying network. The vulnerability was partially addressed in version 3.3.25 and fully resolved in version 3.3.27. This vulnerability poses a significant risk to organizations using the vulnerable plugin, potentially leading to data breaches, website defacement, or complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP POST request to the WordPress server targeting the \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a malicious file disguised as a legitimate file type, exploiting the missing file type validation in the \u003ccode\u003eNF_FU_AJAX_Controllers_Uploads::handle_upload\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehandle_upload\u003c/code\u003e function processes the request without properly validating the file type, allowing the malicious file to be uploaded to the server.\u003c/li\u003e\n\u003cli\u003eThe uploaded file is stored in the WordPress uploads directory, typically located within the \u003ccode\u003ewp-content/uploads/ninja-forms-uploads/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the malicious file (e.g., a PHP script) to execute arbitrary code on the server when accessed.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded malicious file via a direct HTTP request to the file\u0026rsquo;s location within the uploads directory.\u003c/li\u003e\n\u003cli\u003eThe web server executes the malicious file (e.g., a PHP script), granting the attacker the ability to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the executed code to gain a persistent foothold on the server, install malware, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0740 allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution. This can result in complete compromise of the WordPress website, including data breaches, website defacement, and installation of backdoors. The impact is significant due to the widespread use of WordPress and the Ninja Forms plugin. Even a single successful attack can lead to substantial financial losses, reputational damage, and legal liabilities. Websites utilizing versions of the Ninja Forms File Uploads plugin prior to 3.3.27 are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Ninja Forms File Uploads plugin to version 3.3.27 or later to fully patch CVE-2026-0740.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to detect and block malicious file upload attempts targeting the \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for suspicious requests to the \u003ccode\u003ewp-content/uploads/ninja-forms-uploads/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Ninja Forms Arbitrary File Upload Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eEnforce strict file type validation on all file upload forms, even after upgrading the plugin, as a defense-in-depth measure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T05:16:06Z","date_published":"2026-04-07T05:16:06Z","id":"/briefs/2026-04-ninja-forms-rce/","summary":"The Ninja Forms File Uploads plugin for WordPress is vulnerable to unauthenticated arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.","title":"Ninja Forms File Upload Plugin Vulnerability Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-04-ninja-forms-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5709"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5709","rce","aws","res"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5709 affects AWS Research and Engineering Studio (RES), a cloud-based platform for research and engineering workflows. The vulnerability resides in the FileBrowser API and is present in versions 2024.10 through 2025.12.01. An authenticated attacker can exploit this vulnerability by sending crafted input to the FileBrowser functionality, leading to arbitrary command execution on the underlying cluster-manager EC2 instance. This could allow attackers to gain complete control over the RES environment, potentially compromising sensitive data and disrupting critical research activities. AWS recommends that users upgrade to RES version 2026.03 or apply a mitigation patch.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials for an AWS Research and Engineering Studio (RES) account.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the RES environment.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious input designed to exploit the unsanitized input vulnerability in the FileBrowser API.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted input to the FileBrowser API endpoint.\u003c/li\u003e\n\u003cli\u003eThe FileBrowser API processes the input without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe unsanitized input is executed as an operating system command on the cluster-manager EC2 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution, potentially installing malware, exfiltrating data, or creating new administrative accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5709 grants the attacker the ability to execute arbitrary commands on the cluster-manager EC2 instance within the AWS Research and Engineering Studio (RES) environment. This can lead to complete compromise of the RES environment, data theft, denial of service, and potential lateral movement to other AWS resources. Due to the nature of research environments, this vulnerability could expose highly sensitive data, intellectual property, and research findings. The impact is significant due to the potential for widespread damage and disruption of critical research activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade AWS Research and Engineering Studio (RES) to version 2026.03 or apply the recommended mitigation patch provided by AWS to remediate CVE-2026-5709.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious FileBrowser API Requests\u0026rdquo; to identify potential exploitation attempts targeting the FileBrowser API.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the FileBrowser API endpoint, looking for unusual characters or command injection attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T22:16:25Z","date_published":"2026-04-06T22:16:25Z","id":"/briefs/2026-04-aws-res-rce/","summary":"CVE-2026-5709 is a critical vulnerability in AWS Research and Engineering Studio (RES) versions 2024.10 through 2025.12.01, allowing remote authenticated attackers to execute arbitrary commands on the cluster-manager EC2 instance through the FileBrowser API.","title":"AWS Research and Engineering Studio (RES) RCE via FileBrowser API Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-aws-res-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35164"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-35164","rce","file-upload","brave-cms","ckeditor","php","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBrave CMS, an open-source content management system, is vulnerable to an unrestricted file upload vulnerability (CVE-2026-35164) in versions prior to 2.0.6. The vulnerability resides within the CKEditor upload functionality, specifically in the \u003ccode\u003eckupload\u003c/code\u003e method located in \u003ccode\u003eapp/Http/Controllers/Dashboard/CkEditorController.php\u003c/code\u003e. The application fails to properly validate the types of uploaded files, relying solely on user-provided input. This lack of validation enables an authenticated user to upload malicious PHP scripts, leading to arbitrary code execution on the server. The vulnerability was reported on April 6, 2026, and is fixed in Brave CMS version 2.0.6. Organizations using affected versions of Brave CMS are at risk of complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Brave CMS application as a user with upload privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a page or functionality within the CMS that utilizes the CKEditor for content creation or editing.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the CKEditor\u0026rsquo;s upload functionality to upload a malicious PHP script disguised as a legitimate file type (e.g., image).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eckupload\u003c/code\u003e method in \u003ccode\u003eapp/Http/Controllers/Dashboard/CkEditorController.php\u003c/code\u003e processes the uploaded file without proper validation of the file type or content.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP script is stored on the server in a publicly accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to directly access the uploaded PHP script via its URL.\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP script, granting the attacker the ability to run arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence, installs a web shell, and performs lateral movement within the network, escalating privileges as needed to achieve their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary PHP code on the affected Brave CMS server. This can lead to complete compromise of the CMS instance, including unauthorized access to sensitive data, modification of website content, and potential lateral movement to other systems on the network. The CVSS v3.1 base score for this vulnerability is 8.8, indicating a high severity level. Organizations running vulnerable versions of Brave CMS are at risk of data breaches, website defacement, and further exploitation of their infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Brave CMS to version 2.0.6 or later to remediate the unrestricted file upload vulnerability (CVE-2026-35164).\u003c/li\u003e\n\u003cli\u003eImplement server-side file validation to prevent the upload of malicious files, regardless of file extension.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to file uploads and execution of PHP scripts.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect attempts to access potentially malicious PHP files in the web server\u0026rsquo;s upload directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T18:16:42Z","date_published":"2026-04-06T18:16:42Z","id":"/briefs/2026-04-brave-cms-rce/","summary":"Brave CMS versions prior to 2.0.6 contain an unrestricted file upload vulnerability within the CKEditor upload functionality in the ckupload method, allowing authenticated users to upload executable PHP scripts and achieve Remote Code Execution.","title":"Brave CMS Unrestricted File Upload Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-brave-cms-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-26026"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-26026","template-injection","rce","glpi"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGLPI is a widely used open-source IT asset management software. A critical vulnerability, CVE-2026-26026, affects versions 11.0.0 to 11.0.5. This vulnerability stems from a template injection flaw that can be exploited by a logged-in administrator. Successful exploitation allows the administrator to achieve remote code execution (RCE) on the underlying server. The vulnerability was reported on April 6, 2026, and has been patched in version 11.0.6. Organizations using vulnerable versions of GLPI should upgrade immediately to prevent potential compromise. The high CVSS score (9.1) reflects the severity and potential impact of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative access to a vulnerable GLPI instance (versions 11.0.0 - 11.0.5).\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a section of the GLPI interface that allows for template modification.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious template containing code injection payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the modified template within the GLPI system.\u003c/li\u003e\n\u003cli\u003eThe GLPI system processes the malicious template, executing the injected code.\u003c/li\u003e\n\u003cli\u003eThe injected code allows the attacker to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a reverse shell to gain persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other systems or exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-26026 can lead to complete compromise of the GLPI server. This allows an attacker to gain unauthorized access to sensitive IT asset information, customer data, and potentially other systems on the network. The impact is significant, as it allows for data breaches, service disruption, and further lateral movement within the organization\u0026rsquo;s infrastructure. Given GLPI\u0026rsquo;s function in managing IT assets, this can result in widespread damage across the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade GLPI to version 11.0.6 or later to patch CVE-2026-26026.\u003c/li\u003e\n\u003cli\u003eReview and audit GLPI administrator accounts for any suspicious activity or unauthorized access attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect GLPI Template Injection Attempts\u0026rdquo; to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to template management endpoints containing suspicious code constructs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Detect GLPI Template Injection RCE\u0026rdquo; rule in your SIEM.\u003c/li\u003e\n\u003cli\u003eRestrict network access to the GLPI server to only authorized personnel and systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T15:17:07Z","date_published":"2026-04-06T15:17:07Z","id":"/briefs/2026-04-glpi-rce/","summary":"GLPI versions 11.0.0 to before 11.0.6 are vulnerable to remote code execution (RCE) via template injection by an authenticated administrator, allowing for arbitrary code execution on the server.","title":"GLPI Template Injection RCE (CVE-2026-26026)","url":"https://feed.craftedsignal.io/briefs/2026-04-glpi-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2019-25671"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rce","cve-2019-25671","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eVA MAX 8.3.4 is susceptible to a remote code execution (RCE) vulnerability identified as CVE-2019-25671. This vulnerability allows authenticated attackers to inject shell metacharacters into the \u003ccode\u003emtu_eth0\u003c/code\u003e parameter, leading to arbitrary command execution. The attack vector involves sending crafted POST requests to the \u003ccode\u003echangeip.php\u003c/code\u003e endpoint. Successful exploitation grants the attacker the ability to execute commands as the \u003ccode\u003eapache\u003c/code\u003e user. This vulnerability poses a significant risk to organizations using the affected VA MAX version, as it can lead to complete system compromise. Given the ease of exploitation and the potential for significant impact, defenders need to prioritize detection and mitigation efforts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the VA MAX 8.3.4 web interface using valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious POST request targeting the \u003ccode\u003echangeip.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003emtu_eth0\u003c/code\u003e parameter containing shell metacharacters and the desired command for execution.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003echangeip.php\u003c/code\u003e script processes the \u003ccode\u003emtu_eth0\u003c/code\u003e parameter without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eThe injected shell metacharacters are interpreted by the system, leading to command execution.\u003c/li\u003e\n\u003cli\u003eThe attacker-supplied command is executed with the privileges of the \u003ccode\u003eapache\u003c/code\u003e user.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the system, potentially installing malware, exfiltrating data, or performing other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2019-25671 allows an attacker to execute arbitrary commands on the affected VA MAX 8.3.4 system. This can lead to complete system compromise, data theft, and disruption of services. If VA MAX manages critical infrastructure, this vulnerability could have significant real-world consequences. Given the publicly available exploit code, the risk of widespread exploitation is high.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003echangeip.php\u003c/code\u003e containing shell metacharacters in the \u003ccode\u003emtu_eth0\u003c/code\u003e parameter using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eApply appropriate input validation and sanitization to the \u003ccode\u003emtu_eth0\u003c/code\u003e parameter within the \u003ccode\u003echangeip.php\u003c/code\u003e script.\u003c/li\u003e\n\u003cli\u003eConsider upgrading to a patched version of VA MAX that addresses CVE-2019-25671.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a compromised VA MAX system.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies to prevent unauthorized access to the VA MAX web interface.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious processes spawned by the \u003ccode\u003eapache\u003c/code\u003e user, which could indicate successful exploitation of the RCE vulnerability using the Sigma rule \u003ccode\u003eDetect Suspicious Processes Spawned by Apache\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T21:16:44Z","date_published":"2026-04-05T21:16:44Z","id":"/briefs/2026-04-va-max-rce/","summary":"VA MAX 8.3.4 is vulnerable to remote code execution (CVE-2019-25671), allowing authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the mtu_eth0 parameter via a POST request to changeip.php.","title":"VA MAX 8.3.4 Remote Code Execution via changeip.php (CVE-2019-25671)","url":"https://feed.craftedsignal.io/briefs/2026-04-va-max-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["command-injection","rce","budibase"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA command injection vulnerability has been identified in Budibase versions prior to 3.33.4, specifically within the bash automation step located in \u003ccode\u003epackages/server/src/automations/steps/bash.ts\u003c/code\u003e. This flaw allows an attacker with permissions to create or modify automation workflows to inject arbitrary shell commands. The vulnerability stems from the usage of \u003ccode\u003eexecSync\u003c/code\u003e to execute user-supplied commands without adequate sanitization or validation. Input is processed through \u003ccode\u003eprocessStringSync\u003c/code\u003e, enabling template interpolation that can be exploited for command injection. Successful exploitation could lead to remote code execution, complete system compromise, data exfiltration, and lateral movement within the affected infrastructure. Defenders should prioritize patching or implementing mitigations to prevent exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to the Budibase platform with the ability to create or modify automation workflows.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing shell commands embedded within template syntax (e.g., \u003ccode\u003e$(rm -rf /)\u003c/code\u003e, \u003ccode\u003e; malicious-command\u003c/code\u003e, \u003ccode\u003e| malicious-command\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into the \u003ccode\u003einputs.code\u003c/code\u003e field of a bash automation step.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eprocessStringSync\u003c/code\u003e function processes the user-supplied input, interpolating the template syntax and generating a command string.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexecSync\u003c/code\u003e function executes the crafted command string without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected shell commands execute on the server with the privileges of the Budibase application.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, potentially gaining control of the server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as data exfiltration, lateral movement, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to severe consequences, including remote code execution (RCE) on the Budibase server. This could result in complete system compromise, allowing attackers to steal sensitive data, modify system configurations, or use the compromised system as a pivot point for further attacks within the network. While the exact number of affected organizations is unknown, any Budibase instance running a version prior to 3.33.4 is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately disable the bash automation step in production environments to prevent further exploitation.\u003c/li\u003e\n\u003cli\u003eUpgrade Budibase to version 3.33.4 or later, where this vulnerability is addressed.\u003c/li\u003e\n\u003cli\u003eImplement the command sanitization and validation techniques outlined in the provided example fix.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, implement a whitelist of allowed commands to restrict the functionality of the bash automation step.\u003c/li\u003e\n\u003cli\u003eEnable and review Budibase application logs for any unusual or suspicious command execution patterns (reference: Overview section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T12:00:00Z","date_published":"2026-04-04T12:00:00Z","id":"/briefs/2026-04-budibase-cmd-injection/","summary":"A command injection vulnerability exists in Budibase's bash automation step due to insufficient sanitization, allowing attackers with automation modification access to inject arbitrary shell commands, leading to remote code execution.","title":"Budibase Command Injection Vulnerability in Bash Automation Step","url":"https://feed.craftedsignal.io/briefs/2026-04-budibase-cmd-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33509"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["pyLoad","rce","pickle","deserialization","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003epyLoad, a download manager, is susceptible to arbitrary code execution due to an insecure configuration option related to the storage folder. This vulnerability arises from the incomplete fix for CVE-2026-33509. Specifically, the \u003ccode\u003estorage_folder\u003c/code\u003e option is not included in the \u003ccode\u003eADMIN_ONLY_OPTIONS\u003c/code\u003e set, which allows users with \u003ccode\u003eSETTINGS\u003c/code\u003e and \u003ccode\u003eADD\u003c/code\u003e permissions to modify it. By redirecting downloads to the Flask filesystem session store, an attacker can plant a malicious pickle payload as a predictable session file. Subsequently, any HTTP request containing the corresponding crafted session cookie will trigger the deserialization of the payload, resulting in arbitrary code execution. This issue affects pyLoad versions up to and including 0.5.0b3. The observed exploitation involves manipulating the download directory to write malicious files into the Flask session store, ultimately leading to code execution on the host.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains a non-admin user account with both \u003ccode\u003eSETTINGS\u003c/code\u003e and \u003ccode\u003eADD\u003c/code\u003e permissions in pyLoad.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003e/api/set_config_value\u003c/code\u003e endpoint to modify the \u003ccode\u003estorage_folder\u003c/code\u003e option, setting its value to the Flask session store directory: \u003ccode\u003e/tmp/pyLoad/flask\u003c/code\u003e. This bypasses existing path restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker calculates the target session filename by computing the MD5 hash of the string \u0026ldquo;session:ATTACKER_SESSION_ID\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker hosts a malicious pickle payload (e.g., \u003ccode\u003e92912f771df217fb6fbfded6705dd47c\u003c/code\u003e) on a remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003e/api/add_package\u003c/code\u003e endpoint to add a download package. The download link points to the hosted malicious pickle payload on the attacker\u0026rsquo;s server: \u003ccode\u003ehttp://attacker.com/92912f771df217fb6fbfded6705dd47c\u003c/code\u003e. The \u003ccode\u003edest\u003c/code\u003e parameter specifies where to store the downloaded file.\u003c/li\u003e\n\u003cli\u003epyLoad downloads the malicious pickle payload and saves it to the Flask session store directory, naming it according to the MD5 hash calculated earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request to the pyLoad server, including a cookie named \u003ccode\u003epyload_session_{port}\u003c/code\u003e with the value \u003ccode\u003eATTACKER_SESSION_ID\u003c/code\u003e.  The port number is derived from the pyLoad configuration.\u003c/li\u003e\n\u003cli\u003eUpon receiving the request with the crafted cookie, Flask attempts to load the session data from the corresponding file. The \u003ccode\u003ecachelib\u003c/code\u003e library deserializes the malicious pickle payload using \u003ccode\u003epickle.load()\u003c/code\u003e, triggering arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows a non-admin user with SETTINGS and ADD permissions to achieve arbitrary code execution as the pyload service user. This grants the attacker the ability to execute arbitrary commands, read environment variables (potentially exposing API keys and credentials), access the filesystem (including download history and user databases), and potentially pivot to other network resources. The vulnerability requires no authentication to trigger the final stage of exploitation, increasing its severity and potential impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect attempts to modify the \u003ccode\u003estorage_folder\u003c/code\u003e configuration option to point to the Flask session directory (\u003ccode\u003e/tmp/pyLoad/flask\u003c/code\u003e): \u003ccode\u003eSuspicious pyLoad Storage Folder Modification\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eApply the suggested fix by adding \u003ccode\u003estorage_folder\u003c/code\u003e to the \u003ccode\u003eADMIN_ONLY_OPTIONS\u003c/code\u003e set in the pyLoad configuration to prevent non-admin users from modifying it.\u003c/li\u003e\n\u003cli\u003eBlock the malicious URLs used to deliver the pickle payload, specifically \u003ccode\u003ehttp://attacker.com/92912f771df217fb6fbfded6705dd47c\u003c/code\u003e, at your network perimeter.\u003c/li\u003e\n\u003cli\u003eMonitor for HTTP requests containing the crafted session cookie (\u003ccode\u003epyload_session_{port}=ATTACKER_SESSION_ID\u003c/code\u003e), using a webserver or proxy log source, as it triggers the final stage of the attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T06:43:37Z","date_published":"2026-04-04T06:43:37Z","id":"/briefs/2026-04-pyload-rce/","summary":"pyLoad is vulnerable to arbitrary code execution via an unprotected `storage_folder` configuration option, allowing an attacker with `SETTINGS` and `ADD` permissions to write a malicious pickle payload to the Flask session store and execute arbitrary code upon subsequent HTTP requests.","title":"pyLoad Arbitrary Code Execution via Malicious Session Deserialization","url":"https://feed.craftedsignal.io/briefs/2026-04-pyload-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9,"id":"CVE-2026-35216"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-35216","budibase","rce","webhook"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBudibase, an open-source low-code platform, is vulnerable to remote code execution (RCE) in versions prior to 3.33.4. This vulnerability, identified as CVE-2026-35216, allows an unauthenticated attacker to execute arbitrary commands on the Budibase server. The attack involves leveraging the public webhook endpoint to trigger an automation containing a Bash step. Due to the lack of authentication, malicious actors can directly interact with the webhook to initiate the execution. The process runs as root within the container, increasing the severity of the impact. Budibase patched this vulnerability in version 3.33.4. Defenders must upgrade to the latest version to mitigate this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Budibase instance running a version prior to 3.33.4.\u003c/li\u003e\n\u003cli\u003eThe attacker locates a public webhook endpoint exposed by the Budibase instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the webhook endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request triggers a pre-configured automation within Budibase.\u003c/li\u003e\n\u003cli\u003eThe automation contains a Bash step that executes attacker-controlled commands.\u003c/li\u003e\n\u003cli\u003eThe Bash script executes as root within the container.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the Budibase server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35216 allows an unauthenticated attacker to achieve remote code execution (RCE) on the affected Budibase server. Since the process executes as root within the container, the attacker gains complete control over the Budibase instance. This can lead to data breaches, service disruption, or further lateral movement within the network. Organizations using vulnerable Budibase versions are at high risk of compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Budibase to version 3.33.4 or later to patch CVE-2026-35216.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to webhook endpoints associated with Budibase to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect the execution of bash commands in automations triggered by webhooks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T16:16:41Z","date_published":"2026-04-03T16:16:41Z","id":"/briefs/2026-04-budibase-rce/","summary":"Budibase versions before 3.33.4 are susceptible to unauthenticated remote code execution, where a threat actor can trigger a Bash step within an automation via the public webhook endpoint, leading to code execution as root within the container.","title":"Budibase Unauthenticated Remote Code Execution via Webhook","url":"https://feed.craftedsignal.io/briefs/2026-04-budibase-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-34791"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eEndian Firewall version 3.3.25 and prior is susceptible to OS command injection. This vulnerability, identified as CVE-2026-34791, allows authenticated users to execute arbitrary operating system commands. The vulnerability exists due to insufficient validation of the DATE parameter in the \u003ccode\u003e/cgi-bin/logs_proxy.cgi\u003c/code\u003e script. The DATE parameter\u0026rsquo;s value is used to construct a file path that is subsequently passed to a Perl \u003ccode\u003eopen()\u003c/code\u003e call. Due to an incomplete regular expression validation, an attacker can inject malicious commands. Successful exploitation allows the attacker to gain complete control of the affected system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user accesses the \u003ccode\u003e/cgi-bin/logs_proxy.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003eDATE\u003c/code\u003e parameter containing OS commands to be injected.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e/cgi-bin/logs_proxy.cgi\u003c/code\u003e script receives the \u003ccode\u003eDATE\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe script constructs a file path using the unvalidated \u003ccode\u003eDATE\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe script passes the crafted file path to a Perl \u003ccode\u003eopen()\u003c/code\u003e call.\u003c/li\u003e\n\u003cli\u003eThe Perl \u003ccode\u003eopen()\u003c/code\u003e function executes the injected OS commands due to the incomplete regular expression validation.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as installing malware, creating user accounts, or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary OS commands on the affected Endian Firewall system. This can lead to complete system compromise, including data theft, service disruption, and the potential to use the compromised system as a launchpad for further attacks within the network. Given that firewalls are critical security components, a compromise could have severe consequences for the entire network infrastructure, leading to widespread data breaches and significant financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a supported version of Endian Firewall that addresses CVE-2026-34791 (refer to Endian Firewall\u0026rsquo;s advisory).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious Logs Proxy Date Parameter\u003c/code\u003e to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003e/cgi-bin/logs_proxy.cgi\u003c/code\u003e containing unusual characters or command-like syntax in the \u003ccode\u003eDATE\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement strong input validation and sanitization for all user-supplied input to prevent command injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T15:16:42Z","date_published":"2026-04-02T15:16:42Z","id":"/briefs/2026-04-endian-firewall-rce/","summary":"Endian Firewall version 3.3.25 and prior allows authenticated users to execute arbitrary OS commands due to an OS command injection vulnerability in the DATE parameter of the /cgi-bin/logs_proxy.cgi endpoint.","title":"Endian Firewall Command Injection Vulnerability (CVE-2026-34791)","url":"https://feed.craftedsignal.io/briefs/2026-04-endian-firewall-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rce","file-upload","sharefile"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-2701 is a critical vulnerability affecting ShareFile Storage Zones Controller, allowing authenticated users to upload and execute malicious files on the server, resulting in remote code execution. The vulnerability stems from inadequate input validation and insufficient restrictions on file types during upload. Successful exploitation enables attackers to execute arbitrary code on the affected system, potentially leading to complete system compromise. While the specific versions affected are not explicitly stated in the source, the vulnerability was reported in conjunction with a security vulnerability advisory published in February 2026. Defenders should prioritize patching and implementing mitigations to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user logs into the ShareFile Storage Zones Controller.\u003c/li\u003e\n\u003cli\u003eThe user navigates to the file upload functionality within the application.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a specially crafted malicious file (e.g., a web shell or executable).\u003c/li\u003e\n\u003cli\u003eThe application fails to properly validate the file type or content, allowing the malicious file to be stored on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to execute the uploaded malicious file. This may involve leveraging OS command injection (CWE-78) or code injection (CWE-94) vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe server executes the malicious file, granting the attacker arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gained access to move laterally, install backdoors, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete control over the compromised server and potentially the entire ShareFile environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-2701 allows attackers to execute arbitrary code on the affected ShareFile Storage Zones Controller server. This can lead to a complete compromise of the server, data exfiltration, and potential lateral movement within the network. While the exact number of victims is unknown, any organization using vulnerable versions of ShareFile Storage Zones Controller is at risk. Given the nature of ShareFile, this could expose sensitive data belonging to customers and partners.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch referenced in the Progress Software Corporation advisory (\u003ca href=\"https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26\"\u003ehttps://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26\u003c/a\u003e) to remediate CVE-2026-2701.\u003c/li\u003e\n\u003cli\u003eImplement strict file type validation and sanitization on all file upload functionalities within the ShareFile Storage Zones Controller.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file upload activity or attempts to execute unusual file types using the provided Sigma rule targeting webserver logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T14:16:27Z","date_published":"2026-04-02T14:16:27Z","id":"/briefs/2026-04-sharefile-rce/","summary":"Authenticated users can upload malicious files to a ShareFile Storage Zones Controller server and execute them, leading to remote code execution, due to improper neutralization of special elements, code generation, and unrestricted file upload.","title":"ShareFile Storage Zones Controller Unauthenticated Remote Code Execution via File Upload (CVE-2026-2701)","url":"https://feed.craftedsignal.io/briefs/2026-04-sharefile-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sharefile","storage-zones-controller","rce","cve-2026-2699"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-2699 affects Customer Managed ShareFile Storage Zones Controller (SZC) versions prior to the fix. The vulnerability allows an unauthenticated attacker to bypass access controls and directly access restricted configuration pages. This unauthorized access can lead to malicious actors changing system settings, potentially installing backdoors, or executing arbitrary code remotely. The vulnerability was reported to Progress Software Corporation and assigned a CVSS v3.1 base score of 9.8, categorizing it as critical. Successful exploitation of this vulnerability could have significant consequences for organizations using the affected ShareFile SZC, as it could compromise sensitive data and system integrity. Defenders should prioritize patching and detection efforts to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable ShareFile Storage Zones Controller (SZC) instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a restricted configuration page, bypassing authentication checks.\u003c/li\u003e\n\u003cli\u003eThe SZC processes the request without proper authorization, granting access to the restricted page.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies critical system configurations, potentially including settings related to file storage, authentication, or update mechanisms.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified configurations to upload a malicious file to the SZC.\u003c/li\u003e\n\u003cli\u003eThe uploaded file, potentially a script or executable, is then executed by the SZC.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, gaining control over the SZC server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised SZC to access sensitive data or pivot to other systems within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-2699 can result in complete compromise of the ShareFile Storage Zones Controller (SZC) instance. This can lead to unauthorized access to sensitive data stored within the ShareFile environment. Attackers can also use the compromised SZC as a pivot point to access other internal systems. The affected sectors could include any organization using the vulnerable ShareFile SZC setup, potentially leading to widespread data breaches and operational disruption. Given the CVSS score of 9.8, the impact is considered critical.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all Customer Managed ShareFile Storage Zones Controller (SZC) instances to the latest version as recommended in the Progress Software Corporation advisory referenced in the documentation URL within the IOCs section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect unauthorized access attempts to restricted configuration pages on ShareFile SZC servers, monitoring webserver logs for suspicious activity.\u003c/li\u003e\n\u003cli\u003eReview network traffic for unusual outbound connections from ShareFile SZC servers after the patch, looking for signs of potential compromise, based on network connection logs.\u003c/li\u003e\n\u003cli\u003eMonitor ShareFile SZC server logs for any unauthorized configuration changes based on file event logs after patching.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T14:16:27Z","date_published":"2026-04-02T14:16:27Z","id":"/briefs/2026-04-sharefile-szc-rce/","summary":"An unauthenticated attacker can access restricted configuration pages in Customer Managed ShareFile Storage Zones Controller (SZC), leading to system configuration changes and potential remote code execution.","title":"ShareFile Storage Zones Controller Unauthenticated Configuration Access and Potential RCE (CVE-2026-2699)","url":"https://feed.craftedsignal.io/briefs/2026-04-sharefile-szc-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-33613"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-33613","rce","command-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33613 is a remote code execution (RCE) vulnerability affecting the \u003ccode\u003egenerateSrpArray\u003c/code\u003e function due to improper neutralization of special elements used in an OS command. Successful exploitation allows a remote attacker to achieve full system compromise. This vulnerability is triggered by writing arbitrary data to the user table, representing a significant security risk if combined with other vulnerabilities that enable such data manipulation. The vulnerability was published on April 2, 2026, and reported by CERT VDE. Defenders should prioritize investigating any suspicious activity related to user table modifications and monitor for unexpected command execution originating from the \u003ccode\u003egenerateSrpArray\u003c/code\u003e function. The CVSS v3.1 score is 7.2, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access through an external vulnerability or compromised credentials.\u003c/li\u003e\n\u003cli\u003eAttacker leverages this access to inject arbitrary data into the user table.\u003c/li\u003e\n\u003cli\u003eThe system processes the malicious data in the user table through the \u003ccode\u003egenerateSrpArray\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to improper neutralization of special elements, the injected data is interpreted as an OS command.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egenerateSrpArray\u003c/code\u003e function executes the attacker-controlled OS command.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution with the privileges of the \u003ccode\u003egenerateSrpArray\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain full system control.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as data exfiltration, installing backdoors, or causing denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33613 leads to complete system compromise, granting the attacker full control over the affected system. This can result in data breaches, service disruption, and significant financial losses. While the number of potential victims and targeted sectors are currently unknown, any system utilizing the vulnerable \u003ccode\u003egenerateSrpArray\u003c/code\u003e function is at risk. Given the high CVSS score (7.2), organizations should prioritize patching and mitigation efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unusual writes or modifications to the user table using file integrity monitoring or database auditing, to identify potential exploitation attempts (file_event, registry_set).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for any data processed by the \u003ccode\u003egenerateSrpArray\u003c/code\u003e function to prevent OS command injection (webserver, linux/windows).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect potential exploitation attempts and post-exploitation activity (process_creation).\u003c/li\u003e\n\u003cli\u003eInvestigate any processes spawned by the \u003ccode\u003egenerateSrpArray\u003c/code\u003e function, especially those with unusual command-line arguments, using endpoint detection and response (EDR) solutions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T10:16:15Z","date_published":"2026-04-02T10:16:15Z","id":"/briefs/2026-04-cve-2026-33613/","summary":"CVE-2026-33613 describes a remote code execution (RCE) vulnerability due to improper neutralization of special elements used in an OS command in the generateSrpArray function, leading to full system compromise, but requires a separate method for writing arbitrary data to the user table.","title":"CVE-2026-33613: Remote Code Execution in generateSrpArray Function","url":"https://feed.craftedsignal.io/briefs/2026-04-cve-2026-33613/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4347"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","file-move","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe MW WP Form plugin for WordPress is susceptible to an arbitrary file moving vulnerability identified as CVE-2026-4347. This flaw stems from a lack of proper file path validation within the \u0026lsquo;generate_user_filepath\u0026rsquo; and \u0026lsquo;move_temp_file_to_upload_dir\u0026rsquo; functions. All versions of the plugin up to and including 5.1.0 are affected. An unauthenticated attacker can exploit this vulnerability to move arbitrary files on the server, potentially overwriting or relocating critical system files. The most severe outcome is remote code execution, which can be achieved by moving files such as \u0026lsquo;wp-config.php\u0026rsquo; to a location where its contents are exposed. The vulnerability is only exploitable when a file upload field exists on a form and the “Saving inquiry data in database” option is enabled, narrowing the attack surface but increasing the risk for affected installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version of the MW WP Form plugin (\u0026lt;= 5.1.0) with a file upload field enabled and the \u0026ldquo;Saving inquiry data in database\u0026rdquo; option turned on.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the WordPress site, targeting the file upload functionality of the MW WP Form plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the file path within the request, exploiting the insufficient validation in the \u0026lsquo;generate_user_filepath\u0026rsquo; function to specify a target file for movement.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;move_temp_file_to_upload_dir\u0026rsquo; function is triggered, attempting to move the uploaded file to the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper validation, the targeted file (e.g., wp-config.php) is successfully moved to a new location on the server.\u003c/li\u003e\n\u003cli\u003eIf wp-config.php is moved to a publicly accessible directory, the database credentials and other sensitive information become exposed.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the exposed wp-config.php file, extracting database credentials and other sensitive information.\u003c/li\u003e\n\u003cli\u003eUsing the obtained database credentials, the attacker gains unauthorized access to the WordPress database, potentially leading to remote code execution or complete site compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4347 allows unauthenticated attackers to move arbitrary files within the WordPress server\u0026rsquo;s file system. This can lead to the exposure of sensitive configuration files like \u0026lsquo;wp-config.php\u0026rsquo;, leading to full database and site compromise. While the number of affected installations is currently unknown, a successful attack can have devastating consequences, including data theft, website defacement, and remote code execution. The impact is limited to sites using the vulnerable MW WP Form plugin with specific configuration settings enabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the MW WP Form plugin to the latest version (greater than 5.1.0) to patch CVE-2026-4347.\u003c/li\u003e\n\u003cli\u003eAs a preventative measure, implement file integrity monitoring on critical files like \u0026lsquo;wp-config.php\u0026rsquo; to detect unauthorized modifications or movement. Use file_event logs to trigger alerts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect MW WP Form Arbitrary File Move Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eReview WordPress access logs for suspicious file upload requests, focusing on requests to the MW WP Form plugin\u0026rsquo;s upload handler.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T06:16:23Z","date_published":"2026-04-02T06:16:23Z","id":"/briefs/2026-04-mw-wp-form-file-move/","summary":"The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation, allowing unauthenticated attackers to move arbitrary files on the server, potentially leading to remote code execution.","title":"MW WP Form WordPress Plugin Arbitrary File Move Vulnerability (CVE-2026-4347)","url":"https://feed.craftedsignal.io/briefs/2026-04-mw-wp-form-file-move/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-1345"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["command-injection","rce","cve-2026-1345"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eIBM Verify Identity Access Container versions 11.0 through 11.0.2 and IBM Security Verify Access Container versions 10.0 through 10.0.9.1, as well as IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1, are vulnerable to command injection. An unauthenticated attacker can exploit this vulnerability (CVE-2026-1345) to execute arbitrary commands with lower user privileges due to insufficient input validation. This poses a significant risk as it could lead to unauthorized access, data breaches, or system compromise if successfully exploited. Defenders need to ensure systems are patched and monitor for suspicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a malicious request to the vulnerable IBM Verify or Security Verify Access server.\u003c/li\u003e\n\u003cli\u003eThe request contains crafted input designed to exploit the command injection vulnerability.\u003c/li\u003e\n\u003cli\u003eThe server fails to properly validate the user-supplied input.\u003c/li\u003e\n\u003cli\u003eThe malicious input is passed to an operating system command.\u003c/li\u003e\n\u003cli\u003eThe server executes the attacker-controlled command with the privileges of the compromised user (lower user privileges).\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then potentially escalate privileges, move laterally, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-1345) allows an unauthenticated attacker to execute arbitrary commands on the affected system with lower user privileges. While the attacker does not gain root access directly, this vulnerability can be used as a stepping stone to further compromise the system, potentially leading to data breaches, service disruption, or complete system takeover. The lack of initial authentication makes it easily exploitable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch provided by IBM as detailed in their advisory to remediate CVE-2026-1345 (\u003ca href=\"https://www.ibm.com/support/pages/node/7268253)\"\u003ehttps://www.ibm.com/support/pages/node/7268253)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures on all user-supplied input to prevent command injection attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests and patterns that indicate command injection attempts, creating correlation rules using webserver logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T21:16:58Z","date_published":"2026-04-01T21:16:58Z","id":"/briefs/2026-04-ibm-verify-rce/","summary":"Unauthenticated command execution is possible in IBM Verify Identity Access Container and IBM Security Verify Access Container due to improper validation of user-supplied input, allowing arbitrary command execution with lower privileges.","title":"IBM Verify Identity Access and Security Verify Access Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-ibm-verify-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-20160"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-20160","cisco","ssm-on-prem","rce","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-20160 affects Cisco Smart Software Manager On-Prem (SSM On-Prem). The vulnerability allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SSM On-Prem host. This is due to the unintentional exposure of an internal service. The vulnerability was reported in April 2026. Successful exploitation allows for command execution with root-level privileges, making it a critical risk for organizations using the affected Cisco SSM On-Prem software. Defenders should apply available patches or mitigations immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an internet-facing Cisco Smart Software Manager On-Prem (SSM On-Prem) instance.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers the unintentionally exposed internal service through reconnaissance techniques such as port scanning and service enumeration.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request specifically designed to exploit the exposed API endpoint of the internal service.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted request to the vulnerable API endpoint of the exposed service.\u003c/li\u003e\n\u003cli\u003eThe vulnerable SSM On-Prem software processes the malicious request without proper authentication or authorization checks.\u003c/li\u003e\n\u003cli\u003eThe software executes arbitrary commands on the underlying operating system due to the exposed API.\u003c/li\u003e\n\u003cli\u003eThe attacker gains root-level privileges on the SSM On-Prem host, allowing for full control of the system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform further malicious activities, such as data exfiltration, lateral movement, or installation of persistent backdoors.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20160 allows an attacker to execute arbitrary commands on the underlying operating system with root-level privileges. This could lead to complete compromise of the affected SSM On-Prem host. The attacker could exfiltrate sensitive data, disrupt services, or use the compromised system as a launchpad for further attacks within the network. Given the critical nature of software license management performed by SSM On-Prem, a successful attack could have significant operational and financial consequences.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch released by Cisco to address CVE-2026-20160 on all affected Cisco Smart Software Manager On-Prem (SSM On-Prem) instances.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual API requests targeting Cisco Smart Software Manager On-Prem instances to detect potential exploitation attempts, using the \u0026ldquo;Detect Cisco SSM On-Prem API Exploitation Attempt\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the exposure of internal services and prevent unauthorized access from external networks.\u003c/li\u003e\n\u003cli\u003eReview access controls and authentication mechanisms for all internal services to ensure proper security configurations and prevent unintentional exposure.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Cisco SSM On-Prem Root Command Execution\u0026rdquo; Sigma rule to detect suspicious process execution originating from the SSM On-Prem server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T17:28:31Z","date_published":"2026-04-01T17:28:31Z","id":"/briefs/2024-02-cisco-ssm-rce/","summary":"CVE-2026-20160 is a critical vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) that allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system with root privileges by sending a crafted request to an exposed API.","title":"Cisco Smart Software Manager On-Prem RCE via Exposed API (CVE-2026-20160)","url":"https://feed.craftedsignal.io/briefs/2024-02-cisco-ssm-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9,"id":"CVE-2021-45046"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["jndi","java","log4shell","rce","exploitation"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies potential exploitation attempts targeting Java Naming and Directory Interface (JNDI) vulnerabilities. These vulnerabilities, exemplified by CVE-2021-45046, allow attackers to perform remote code execution by injecting malicious payloads through directory services like LDAP. The rule focuses on detecting suspicious outbound network connections from Java processes to standard ports associated with LDAP (389, 1389), RMI (1099), and DNS (53, 5353), followed by the execution of suspicious child processes indicative of command execution such as shell interpreters (sh, bash, zsh) or scripting languages (python, perl). The rule aims to identify exploitation attempts similar to those seen with Log4Shell and related vulnerabilities, which have been actively exploited since late 2021. It covers Linux and macOS environments and provides a mechanism to detect ongoing exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA vulnerable Java application receives malicious input containing a JNDI lookup string.\u003c/li\u003e\n\u003cli\u003eThe Java application attempts to resolve the JNDI name, initiating an outbound network connection to an LDAP, RMI, or DNS server on ports 389, 1389, 1099, 53, or 5353.\u003c/li\u003e\n\u003cli\u003eThe malicious LDAP/RMI/DNS server, controlled by the attacker, responds with a payload referencing a malicious Java class or remote code.\u003c/li\u003e\n\u003cli\u003eThe Java application loads and executes the malicious code.\u003c/li\u003e\n\u003cli\u003eAs a result of the executed code, a shell interpreter (sh, bash, zsh, etc.) or scripting language (python, perl, ruby, php, wget) is spawned as a child process of the Java application.\u003c/li\u003e\n\u003cli\u003eThe spawned shell/script executes attacker-controlled commands for reconnaissance, privilege escalation, or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions such as data exfiltration or deploying malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of JNDI vulnerabilities can lead to remote code execution, allowing attackers to gain complete control over affected systems. This can result in data breaches, system compromise, and further propagation of attacks within the network. The impact can range from service disruption to complete system takeover. Public exploits for vulnerabilities such as Log4Shell have been widely available, leading to widespread scanning and exploitation attempts across various industries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential JAVA/JNDI Exploitation Attempt\u0026rdquo; to your SIEM to detect suspicious Java processes initiating network connections to LDAP, RMI, or DNS ports followed by suspicious child processes.\u003c/li\u003e\n\u003cli\u003eEnable process creation and network connection logging on Linux and macOS endpoints to provide the necessary data for the Sigma rules to function correctly.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate Java applications that may trigger false positives due to legitimate network connections (see the \u0026ldquo;False positive analysis\u0026rdquo; section in the original rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of successful exploitation by restricting lateral movement.\u003c/li\u003e\n\u003cli\u003ePatch vulnerable Java applications and libraries, such as Log4j, to prevent exploitation of known vulnerabilities like CVE-2021-45046.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T14:24:53Z","date_published":"2026-04-01T14:24:53Z","id":"/briefs/2026-06-java-jndi-exploitation/","summary":"This rule detects a potential JAVA/JNDI exploitation attempt by identifying outbound network connections by JAVA to LDAP, RMI, or DNS standard ports followed by suspicious JAVA child processes such as shell interpreters and scripting languages, which may indicate a Java Naming and Directory Interface (JNDI) injection vulnerability exploitation attempt.","title":"Potential JAVA/JNDI Exploitation Attempt","url":"https://feed.craftedsignal.io/briefs/2026-06-java-jndi-exploitation/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-53521"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["f5","big-ip","apm","cve-2025-53521","rce","vulnerability"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 28, 2026, F5 issued a revised security advisory regarding CVE-2025-53521, a vulnerability affecting BIG-IP APM. Initially disclosed in October 2025 and categorized as a medium-severity denial-of-service (DoS) issue, it has been reclassified as a critical remote code execution (RCE) vulnerability. F5 has confirmed that CVE-2025-53521 is now being actively exploited by unauthenticated attackers. The updated classification significantly elevates the risk associated with this vulnerability, necessitating immediate action from organizations utilizing affected BIG-IP APM instances to prevent potential system compromise and unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eGiven the nature of an unauthenticated RCE vulnerability, the following attack chain is likely:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An unauthenticated attacker sends a specially crafted HTTP request to a vulnerable BIG-IP APM endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Trigger:\u003c/strong\u003e The malicious request exploits CVE-2025-53521, bypassing authentication checks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution:\u003c/strong\u003e The successful exploit allows the attacker to execute arbitrary code on the BIG-IP APM system with the privileges of the affected service.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e The attacker may attempt to escalate privileges to gain root or administrator access. This could involve exploiting other vulnerabilities or leveraging misconfigurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Compromise:\u003c/strong\u003e With code execution, the attacker gains control over the BIG-IP APM system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Data Exfiltration/System Tampering:\u003c/strong\u003e The attacker can use the compromised system as a pivot point to access other internal resources, exfiltrate sensitive data, or tamper with system configurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker might establish persistent access by installing backdoors or creating rogue accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-53521 can lead to complete compromise of the affected BIG-IP APM system. This can result in unauthorized access to sensitive data, disruption of critical services, and potential lateral movement to other systems within the network. Given the reclassification to critical severity and active exploitation, the potential for widespread damage is significant. Organizations in all sectors using vulnerable BIG-IP APM instances are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch CVE-2025-53521 on all affected BIG-IP APM systems with the latest security updates from F5.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests targeting BIG-IP APM endpoints that may indicate exploitation attempts. This can be used to refine detection rules and identify potentially compromised systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T12:00:00Z","date_published":"2026-04-01T12:00:00Z","id":"/briefs/2026-04-f5-big-ip-rce/","summary":"F5 has reclassified CVE-2025-53521, a vulnerability in BIG-IP APM, as a critical unauthenticated remote code execution vulnerability and reports it is being actively exploited in the wild.","title":"F5 BIG-IP APM CVE-2025-53521 Reclassified as Actively Exploited Unauthenticated RCE","url":"https://feed.craftedsignal.io/briefs/2026-04-f5-big-ip-rce/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-2275"},{"id":"CVE-2026-2286"},{"id":"CVE-2026-2287"},{"id":"CVE-2026-2285"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ai","rce","prompt-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCrewAI, an open-source multi-agent orchestration framework based on Python, is vulnerable to a chain of exploits that can lead to remote code execution. Discovered by Yarden Porat of Cyata, these vulnerabilities (CVE-2026-2275, CVE-2026-2286, CVE-2026-2287, CVE-2026-2285) are linked to the Code Interpreter tool, which allows users to execute Python code within a Docker container. Attackers can leverage prompt injection to exploit these bugs, escaping the sandbox environment and executing arbitrary code on the host machine. The vulnerabilities are due to improper default configurations and insufficient validation. Although patches are in development, mitigation involves restricting the Code Interpreter tool, disabling code execution flags, and sanitizing inputs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker injects malicious prompts into a CrewAI agent that utilizes the Code Interpreter tool.\u003c/li\u003e\n\u003cli\u003eCVE-2026-2275 is exploited, causing the Code Interpreter tool to fall back to SandboxPython when Docker is inaccessible, potentially enabling arbitrary C function calls.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation of CVE-2026-2275 allows the attacker to trigger CVE-2026-2286, a server-side request forgery (SSRF) bug, by manipulating the RAG search tools with malicious URLs, potentially retrieving content from internal services.\u003c/li\u003e\n\u003cli\u003eCVE-2026-2287 is exploited by bypassing Docker runtime checks and falling back to an insecure sandbox setting, enabling remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages CVE-2026-2285, an arbitrary local file read vulnerability in the JSON loader tool, to access sensitive files on the server by injecting malicious file paths.\u003c/li\u003e\n\u003cli\u003eThe attacker chains the exploits together to escape the Docker sandbox.\u003c/li\u003e\n\u003cli\u003eArbitrary code is executed on the host machine.\u003c/li\u003e\n\u003cli\u003eThe attacker steals credentials or achieves other objectives, such as persistent access or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows attackers to escape the sandbox environment and execute code on the host machine or read files from its file system, potentially leading to credential theft, data breaches, and complete system compromise. While the specific number of victims is unknown, any system using CrewAI with the Code Interpreter tool is potentially at risk. Targeted sectors would include organizations leveraging AI and multi-agent systems for automation and task management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRestrict or remove the Code Interpreter tool to eliminate the primary attack vector as described in the overview.\u003c/li\u003e\n\u003cli\u003eDisable the code execution flag in agent configurations unless absolutely necessary, as highlighted in the overview.\u003c/li\u003e\n\u003cli\u003eLimit agent exposure to untrusted input and implement strict input sanitization to prevent prompt injection attacks as mentioned in the attack chain.\u003c/li\u003e\n\u003cli\u003ePrevent fallback to insecure sandbox modes to mitigate the risk associated with CVE-2026-2275 and CVE-2026-2287 as described in the attack chain.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected file access attempts that could indicate exploitation of CVE-2026-2285, using a file_event rule.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect and block potential SSRF attacks related to CVE-2026-2286 targeting internal or cloud services, using a network_connection rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T12:00:00Z","date_published":"2026-04-01T12:00:00Z","id":"/briefs/2026-04-crewai-rce/","summary":"Multiple vulnerabilities in CrewAI, an open-source multi-agent orchestration framework, can be exploited by attackers through prompt injection to execute arbitrary code and perform other malicious activities, potentially leading to system compromise.","title":"CrewAI Vulnerabilities Allow Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-crewai-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35056"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rce","xenforo","cve-2026-35056","code-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-35056 describes a remote code execution vulnerability in XenForo versions prior to 2.3.9 and 2.2.18. This vulnerability allows an authenticated attacker with administrative privileges to execute arbitrary code on the server. The attacker must have valid administrator panel access to exploit this flaw. Successful exploitation leads to complete control over the affected XenForo instance and potentially the underlying server. Organizations using vulnerable XenForo versions are at high risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains valid administrative credentials to the XenForo panel, likely through credential theft or brute-force attack.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the XenForo admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an administrative function that allows for the injection of malicious code (e.g., template modification, plugin installation, or similar).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a payload containing malicious code (e.g., PHP code) designed to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into the vulnerable administrative function.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the injected payload by accessing the modified function or by some other user interaction.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes on the server, granting the attacker initial access.\u003c/li\u003e\n\u003cli\u003eThe attacker can then leverage this access to install a web shell, escalate privileges, move laterally, or achieve other objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35056 allows a malicious administrator to execute arbitrary code on the XenForo server. This could lead to complete system compromise, data theft, defacement of the XenForo forum, or use of the server as a launching point for further attacks. Given the potentially sensitive data stored in forum databases, this vulnerability poses a significant risk to confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade XenForo to version 2.3.9 or 2.2.18 or later to patch CVE-2026-35056.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication to prevent unauthorized access to administrator accounts.\u003c/li\u003e\n\u003cli\u003eMonitor XenForo admin panel activity for suspicious behavior, such as unexpected template modifications or plugin installations.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect command execution from the web server process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T01:16:41Z","date_published":"2026-04-01T01:16:41Z","id":"/briefs/2026-04-xenforo-rce/","summary":"XenForo before 2.3.9 and 2.2.18 allows remote code execution by authenticated, malicious admin users with admin panel access.","title":"XenForo RCE via Authenticated Admin User (CVE-2026-35056)","url":"https://feed.craftedsignal.io/briefs/2026-04-xenforo-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2026-34449"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-34449","rce","siyuan","cors"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSiYuan is a personal knowledge management system. Versions prior to 3.6.2 contain a critical vulnerability (CVE-2026-34449) that allows a malicious website to execute arbitrary code on any desktop running the application. This is achieved by exploiting an overly permissive Cross-Origin Resource Sharing (CORS) policy (\u0026ldquo;Access-Control-Allow-Origin: *\u0026rdquo; combined with \u0026ldquo;Access-Control-Allow-Private-Network: true\u0026rdquo;). An attacker can inject a JavaScript snippet into the application via its API. This injected code then executes in the context of Electron\u0026rsquo;s Node.js environment, granting the attacker full operating system access. The vulnerability is triggered simply by a user visiting a malicious website while SiYuan is running. The issue has been addressed and patched in version 3.6.2 of SiYuan. This RCE can allow attackers to steal data, install malware, or perform other malicious activities on the victim\u0026rsquo;s machine.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictim launches the SiYuan application on their desktop (Windows, Linux, or macOS).\u003c/li\u003e\n\u003cli\u003eVictim visits a malicious website in a web browser while SiYuan is running.\u003c/li\u003e\n\u003cli\u003eThe malicious website leverages the permissive CORS policy of SiYuan.\u003c/li\u003e\n\u003cli\u003eThe malicious website sends an API request to the running SiYuan instance.\u003c/li\u003e\n\u003cli\u003eThis API request injects a malicious JavaScript payload into SiYuan.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code is stored within SiYuan\u0026rsquo;s data.\u003c/li\u003e\n\u003cli\u003eThe next time the user opens SiYuan\u0026rsquo;s UI, the injected JavaScript code executes within Electron\u0026rsquo;s Node.js context.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full OS access and can perform arbitrary actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34449 allows for complete compromise of the user\u0026rsquo;s system. The attacker can steal sensitive data, install persistent backdoors, or deploy ransomware. Given SiYuan\u0026rsquo;s purpose as a knowledge management system, it likely holds valuable and sensitive personal or business information. The impact is significant due to the ease of exploitation requiring no user interaction beyond visiting a malicious website.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade SiYuan to version 3.6.2 or later to patch CVE-2026-34449.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual API requests originating from web browsers, as this could indicate exploitation attempts. Deploy the Sigma rule \u003ccode\u003etitle: \u0026quot;Detect Suspicious SiYuan API Access from Web Browser\u0026quot;\u003c/code\u003e to detect this behavior.\u003c/li\u003e\n\u003cli\u003eImplement strict CORS policies for web applications to prevent unauthorized cross-origin requests.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging and monitor for unexpected processes spawned from SiYuan, as this could be a sign of successful RCE. Deploy the Sigma rule \u003ccode\u003etitle: \u0026quot;Detect Processes Spawned from SiYuan Indicating RCE\u0026quot;\u003c/code\u003e to detect this.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T22:17:16Z","date_published":"2026-03-31T22:17:16Z","id":"/briefs/2026-04-siyuan-rce/","summary":"SiYuan versions prior to 3.6.2 are vulnerable to remote code execution (RCE) via a malicious website exploiting a permissive CORS policy to inject a JavaScript snippet, leading to arbitrary code execution within the application's Node.js context.","title":"SiYuan Knowledge Management System RCE via Malicious Website","url":"https://feed.craftedsignal.io/briefs/2026-04-siyuan-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rce","vim","emacs","git","modeline"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA researcher at Calif discovered vulnerabilities in Vim and GNU Emacs using the Claude AI assistant. The Vim vulnerability (versions 9.2.0271 and earlier) results from missing security checks in modeline handling, allowing arbitrary code execution when a specially crafted file is opened. A patch is available in version 9.2.0272. The GNU Emacs vulnerability stems from its integration with Git\u0026rsquo;s version control (vc-git) and remains unpatched. Opening a file can trigger Git operations via \u003ccode\u003evc-refresh-state\u003c/code\u003e, leading to the execution of arbitrary commands defined in a user-controlled \u003ccode\u003ecore.fsmonitor\u003c/code\u003e program within a hidden \u003ccode\u003e.git/config\u003c/code\u003e file. This affects users who open files from untrusted sources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a malicious archive containing a text file and a hidden \u003ccode\u003e.git/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e.git/\u003c/code\u003e directory includes a \u003ccode\u003econfig\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003econfig\u003c/code\u003e file contains a \u003ccode\u003ecore.fsmonitor\u003c/code\u003e entry pointing to a malicious executable.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the archive (e.g., via email or shared drive).\u003c/li\u003e\n\u003cli\u003eVictim extracts the archive on their system.\u003c/li\u003e\n\u003cli\u003eThe victim opens the seemingly benign text file within GNU Emacs.\u003c/li\u003e\n\u003cli\u003eGNU Emacs\u0026rsquo; \u003ccode\u003evc-git\u003c/code\u003e integration triggers \u003ccode\u003evc-refresh-state\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003evc-refresh-state\u003c/code\u003e causes Git to read the attacker-controlled \u003ccode\u003e.git/config\u003c/code\u003e file and execute the malicious \u003ccode\u003ecore.fsmonitor\u003c/code\u003e program, achieving arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities leads to arbitrary code execution with the privileges of the user running Vim or Emacs. For Vim, all versions 9.2.0271 and earlier are affected until patched. While the Emacs vulnerability remains unpatched, it poses a significant risk to users who routinely open files from unknown or untrusted sources, potentially leading to system compromise and data breaches. The number of potential victims is substantial given the widespread use of these editors by developers and system administrators.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Vim to version 9.2.0272 or later to patch the RCE vulnerability related to modeline handling (refer to the Vim flaw and fix section).\u003c/li\u003e\n\u003cli\u003eExercise extreme caution when opening files from unknown sources or downloaded online when using GNU Emacs due to the unpatched Git integration vulnerability (refer to the GNU Emacs points to Git section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect execution of git with unusual core.fsmonitor configuration to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T21:45:14Z","date_published":"2026-03-31T21:45:14Z","id":"/briefs/2026-03-vim-emacs-rce/","summary":"Vulnerabilities in Vim (\u003c=9.2.0271) and GNU Emacs allow remote code execution by opening a specially crafted file, leveraging flaws in modeline handling and Git integration, respectively.","title":"Vim and Emacs Remote Code Execution Vulnerabilities Triggered by File Opening","url":"https://feed.craftedsignal.io/briefs/2026-03-vim-emacs-rce/"}],"language":"en","next_url":"/tags/rce/page/2/feed.json","title":"CraftedSignal Threat Feed — RCE","version":"https://jsonfeed.org/version/1.1"}