{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/webapps/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Bludit CMS 3.18.4"],"_cs_severities":["high"],"_cs_tags":["webapps","rce","bludit"],"_cs_type":"advisory","_cs_vendors":["Bludit"],"content_html":"\u003cp\u003eA remote code execution vulnerability has been identified in Bludit CMS version 3.18.4. The vulnerability is now considered critical due to the public availability of a working exploit (EDB-52553) on Exploit-DB. This exploit allows unauthenticated attackers to execute arbitrary code on systems running the vulnerable version of Bludit CMS. The availability of a public exploit lowers the barrier to entry for attackers, potentially leading to widespread exploitation attempts. Defenders should prioritize patching or mitigating this vulnerability to prevent potential compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Bludit CMS 3.18.4 instance accessible over the internet.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request containing the RCE exploit.\u003c/li\u003e\n\u003cli\u003eThe crafted request is sent to the vulnerable Bludit CMS server.\u003c/li\u003e\n\u003cli\u003eThe Bludit CMS processes the malicious request without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe exploit triggers arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eAttacker executes commands to gain a persistent foothold (e.g., by writing a web shell).\u003c/li\u003e\n\u003cli\u003eAttacker uses the web shell to perform further reconnaissance and lateral movement.\u003c/li\u003e\n\u003cli\u003eAttacker achieves their objective, such as data exfiltration or defacement of the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary code on the target system, potentially leading to full system compromise. This could result in data breaches, website defacement, or the use of the compromised server for malicious purposes such as hosting malware or participating in botnets. The impact is especially severe for publicly accessible Bludit CMS installations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Bludit CMS to a patched version that addresses this RCE vulnerability if available.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Bludit CMS RCE Attempt via HTTP Request\u0026rdquo; to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to filter out malicious requests targeting the RCE vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as unusual file access or command execution patterns.\u003c/li\u003e\n\u003cli\u003eApply principle of least privilege to the web server user account to limit the impact of a successful exploit.\u003c/li\u003e\n\u003cli\u003eConsider using a runtime application self-protection (RASP) solution to detect and block RCE attempts in real-time.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T00:00:00Z","date_published":"2026-05-08T00:00:00Z","id":"/briefs/2026-05-bludit-rce/","summary":"A remote code execution vulnerability exists in Bludit CMS 3.18.4, for which a public exploit has been published, increasing the risk to unpatched systems.","title":"Bludit CMS 3.18.4 Remote Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-bludit-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["LuaJIT 2.1.1774638290"],"_cs_severities":["critical"],"_cs_tags":["webapps","code-execution","luajit"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA public exploit (EDB-52554) has been published on Exploit-DB targeting LuaJIT version 2.1.1774638290. This exploit allows for arbitrary code execution within web applications utilizing the vulnerable LuaJIT version. The availability of a working exploit significantly increases the risk to systems running unpatched versions of LuaJIT. Given the widespread use of LuaJIT in web applications, defenders should prioritize identifying and patching vulnerable instances to prevent potential exploitation. The exploit\u0026rsquo;s publication on a public platform like Exploit-DB makes it accessible to a wide range of threat actors, increasing the likelihood of real-world attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a web application using a vulnerable version of LuaJIT (2.1.1774638290).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request designed to trigger the vulnerability.\u003c/li\u003e\n\u003cli\u003eThis request contains specially crafted Lua code or data that exploits the arbitrary code execution flaw.\u003c/li\u003e\n\u003cli\u003eThe web server processes the malicious request, and LuaJIT attempts to execute the attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the attacker\u0026rsquo;s code executes within the context of the web application.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use this initial foothold to execute system commands, read sensitive files, or establish persistence.\u003c/li\u003e\n\u003cli\u003eDepending on the web application\u0026rsquo;s permissions, the attacker might be able to compromise the entire server.\u003c/li\u003e\n\u003cli\u003eThe final objective is typically to gain unauthorized access to data, disrupt services, or use the compromised server as a launchpad for further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected web server. This can lead to complete system compromise, data theft, denial of service, and further lateral movement within the network. The specific impact depends on the privileges of the web application and the attacker\u0026rsquo;s objectives. Due to the ease of access to the exploit code, any web application using the vulnerable LuaJIT version is at immediate risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify all instances of LuaJIT version 2.1.1774638290 in your environment and prioritize patching or upgrading to a secure version.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, particularly HTTP requests containing unusual Lua code patterns (see Sigma rules).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent the injection of malicious code into LuaJIT environments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T00:00:00Z","date_published":"2026-05-07T00:00:00Z","id":"/briefs/2026-05-luajit-rce/","summary":"A public exploit has been published for LuaJIT version 2.1.1774638290, enabling arbitrary code execution on vulnerable web applications.","title":"LuaJIT 2.1.1774638290 Arbitrary Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-luajit-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Ghost CMS 6.19.0"],"_cs_severities":["high"],"_cs_tags":["sqli","webapps","ghostcms"],"_cs_type":"advisory","_cs_vendors":["Ghost"],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in Ghost CMS version 6.19.0. A public exploit (EDB-52555) is available on Exploit-DB, which significantly increases the risk to unpatched systems. The vulnerability allows for potential unauthorized access to the database, leading to data breaches or modification. Ghost CMS is a popular open-source platform for creating and managing online publications. The availability of a working exploit makes exploitation easier and more likely.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Ghost CMS 6.19.0 instance.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SQL query designed to exploit the SQL injection vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker injects the crafted SQL query into a vulnerable parameter or input field of the Ghost CMS application.\u003c/li\u003e\n\u003cli\u003eThe application processes the malicious SQL query without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eThe injected SQL query is executed against the underlying database.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data stored in the database, such as user credentials, posts, or configuration settings.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify data, create new administrative accounts, or extract sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could lead to unauthorized access to sensitive data stored in the Ghost CMS database. This could include user credentials, content, and potentially system configurations. The impact ranges from data breaches and defacement of the website to complete compromise of the Ghost CMS instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Ghost CMS to a patched version that addresses the SQL injection vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity and potential SQL injection attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T00:00:00Z","date_published":"2026-05-07T00:00:00Z","id":"/briefs/2026-05-ghost-cms-sqli/","summary":"A SQL injection vulnerability exists in Ghost CMS 6.19.0, and a public exploit (EDB-52555) is available, increasing the risk to unpatched systems.","title":"Ghost CMS 6.19.0 SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-ghost-cms-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Webapps","version":"https://jsonfeed.org/version/1.1"}