https://feed.craftedsignal.io/tags/webapps/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 08 May 2026 00:00:00 +0000https://feed.craftedsignal.io/briefs/2026-05-bludit-rce/Fri, 08 May 2026 00:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-bludit-rce/A remote code execution vulnerability exists in Bludit CMS 3.18.4, for which a public exploit has been published, increasing the risk to unpatched systems.A remote code execution vulnerability has been identified in Bludit CMS version 3.18.4. The vulnerability is now considered critical due to the public availability of a working exploit (EDB-52553) on Exploit-DB. This exploit allows unauthenticated attackers to execute arbitrary code on systems running the vulnerable version of Bludit CMS. The availability of a public exploit lowers the barrier to entry for attackers, potentially leading to widespread exploitation attempts. Defenders should prioritize patching or mitigating this vulnerability to prevent potential compromise.

Attack Chain

1. Attacker identifies a Bludit CMS 3.18.4 instance accessible over the internet.
2. Attacker crafts a malicious HTTP request containing the RCE exploit.
3. The crafted request is sent to the vulnerable Bludit CMS server.
4. The Bludit CMS processes the malicious request without proper sanitization.
5. The exploit triggers arbitrary code execution on the server.
6. Attacker executes commands to gain a persistent foothold (e.g., by writing a web shell).
7. Attacker uses the web shell to perform further reconnaissance and lateral movement.
8. Attacker achieves their objective, such as data exfiltration or defacement of the website.

Impact

Successful exploitation of this vulnerability allows attackers to execute arbitrary code on the target system, potentially leading to full system compromise. This could result in data breaches, website defacement, or the use of the compromised server for malicious purposes such as hosting malware or participating in botnets. The impact is especially severe for publicly accessible Bludit CMS installations.

Recommendation

• Upgrade Bludit CMS to a patched version that addresses this RCE vulnerability if available.
• Deploy the Sigma rule “Detect Bludit CMS RCE Attempt via HTTP Request” to identify exploitation attempts in web server logs.
• Implement web application firewall (WAF) rules to filter out malicious requests targeting the RCE vulnerability.
• Monitor web server logs for suspicious activity, such as unusual file access or command execution patterns.
• Apply principle of least privilege to the web server user account to limit the impact of a successful exploit.
• Consider using a runtime application self-protection (RASP) solution to detect and block RCE attempts in real-time.

]]>highadvisorywebappsrcebludithttps://feed.craftedsignal.io/briefs/2026-05-luajit-rce/Thu, 07 May 2026 00:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-luajit-rce/A public exploit has been published for LuaJIT version 2.1.1774638290, enabling arbitrary code execution on vulnerable web applications.A public exploit (EDB-52554) has been published on Exploit-DB targeting LuaJIT version 2.1.1774638290. This exploit allows for arbitrary code execution within web applications utilizing the vulnerable LuaJIT version. The availability of a working exploit significantly increases the risk to systems running unpatched versions of LuaJIT. Given the widespread use of LuaJIT in web applications, defenders should prioritize identifying and patching vulnerable instances to prevent potential exploitation. The exploit’s publication on a public platform like Exploit-DB makes it accessible to a wide range of threat actors, increasing the likelihood of real-world attacks.

Attack Chain

1. An attacker identifies a web application using a vulnerable version of LuaJIT (2.1.1774638290).
2. The attacker crafts a malicious HTTP request designed to trigger the vulnerability.
3. This request contains specially crafted Lua code or data that exploits the arbitrary code execution flaw.
4. The web server processes the malicious request, and LuaJIT attempts to execute the attacker-controlled code.
5. Due to the vulnerability, the attacker’s code executes within the context of the web application.
6. The attacker can then use this initial foothold to execute system commands, read sensitive files, or establish persistence.
7. Depending on the web application’s permissions, the attacker might be able to compromise the entire server.
8. The final objective is typically to gain unauthorized access to data, disrupt services, or use the compromised server as a launchpad for further attacks.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected web server. This can lead to complete system compromise, data theft, denial of service, and further lateral movement within the network. The specific impact depends on the privileges of the web application and the attacker’s objectives. Due to the ease of access to the exploit code, any web application using the vulnerable LuaJIT version is at immediate risk.

Recommendation

• Identify all instances of LuaJIT version 2.1.1774638290 in your environment and prioritize patching or upgrading to a secure version.
• Deploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts targeting this vulnerability.
• Monitor web server logs for suspicious activity, particularly HTTP requests containing unusual Lua code patterns (see Sigma rules).
• Implement input validation and sanitization measures to prevent the injection of malicious code into LuaJIT environments.

]]>criticalthreatwebappscode-executionluajithttps://feed.craftedsignal.io/briefs/2026-05-ghost-cms-sqli/Thu, 07 May 2026 00:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-ghost-cms-sqli/A SQL injection vulnerability exists in Ghost CMS 6.19.0, and a public exploit (EDB-52555) is available, increasing the risk to unpatched systems.A SQL injection vulnerability has been identified in Ghost CMS version 6.19.0. A public exploit (EDB-52555) is available on Exploit-DB, which significantly increases the risk to unpatched systems. The vulnerability allows for potential unauthorized access to the database, leading to data breaches or modification. Ghost CMS is a popular open-source platform for creating and managing online publications. The availability of a working exploit makes exploitation easier and more likely.

Attack Chain

1. Attacker identifies a Ghost CMS 6.19.0 instance.
2. Attacker crafts a malicious SQL query designed to exploit the SQL injection vulnerability.
3. Attacker injects the crafted SQL query into a vulnerable parameter or input field of the Ghost CMS application.
4. The application processes the malicious SQL query without proper sanitization or validation.
5. The injected SQL query is executed against the underlying database.
6. The attacker gains unauthorized access to sensitive data stored in the database, such as user credentials, posts, or configuration settings.
7. The attacker may modify data, create new administrative accounts, or extract sensitive information.

Impact

Successful exploitation of this SQL injection vulnerability could lead to unauthorized access to sensitive data stored in the Ghost CMS database. This could include user credentials, content, and potentially system configurations. The impact ranges from data breaches and defacement of the website to complete compromise of the Ghost CMS instance.

Recommendation

• Upgrade Ghost CMS to a patched version that addresses the SQL injection vulnerability.
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
• Implement input validation and sanitization measures to prevent SQL injection attacks.
• Monitor web server logs for suspicious activity and potential SQL injection attempts.

]]>highadvisorysqliwebappsghostcms