{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/webserver/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-4670"},{"cvss":7.7,"id":"CVE-2026-5174"}],"_cs_exploited":true,"_cs_products":["MOVEit Automation","MOVEit Automation \u003c= 2025.1.4","MOVEit Automation \u003c= 2025.0.8","MOVEit Automation \u003c= 2024.1.7"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","privilege-escalation","cve-2026-4670","cve-2026-5174","webserver"],"_cs_type":"threat","_cs_vendors":["Progress Software"],"content_html":"\u003cp\u003eProgress MOVEit Automation is affected by a critical authentication bypass vulnerability, CVE-2026-4670, which has a CVSS score of 9.8. Successful exploitation allows an unauthenticated remote attacker to gain administrative access to the vulnerable service. Additionally, a high severity privilege escalation vulnerability, CVE-2026-5174, exists due to improper input validation. While there is no current evidence of active exploitation in the wild, the historical targeting of Managed File Transfer (MFT) solutions, such as the 2023 Cl0p ransomware campaigns targeting MOVEit Transfer, heightens the urgency of patching this vulnerability. The affected versions of MOVEit Automation include versions prior to 2024.0.0, versions 2024.0.0 before 2024.1.8, versions 2025.0.0 before 2025.0.9, and versions 2025.1.0 before 2025.1.5. Defenders should prioritize patching to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a specially crafted request to the MOVEit Automation server, exploiting CVE-2026-4670 (authentication bypass).\u003c/li\u003e\n\u003cli\u003eThe vulnerable MOVEit Automation software fails to properly validate the attacker\u0026rsquo;s identity, granting them unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the MOVEit Automation application with administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages CVE-2026-5174 (improper input validation) to further escalate privileges within the application.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates sensitive file transfer workflows, potentially modifying file permissions or altering transfer schedules.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data stored within MOVEit Automation.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker could deploy malicious scripts or backdoors to maintain persistence and control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete control over the MOVEit Automation server, potentially impacting connected systems and data integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4670 allows an unauthenticated attacker to gain administrative access to Progress MOVEit Automation servers. This can lead to the compromise of sensitive data, disruption of file transfer workflows, and potential deployment of ransomware or other malicious payloads. Given the history of MOVEit products being targeted, a successful attack could have widespread impact across various sectors that rely on MOVEit for secure file transfer, potentially affecting thousands of organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all affected MOVEit Automation installations to versions 2025.1.5 or later, 2025.0.9 or later, or 2024.1.8 or later as recommended by Progress Software to remediate CVE-2026-4670 and CVE-2026-5174.\u003c/li\u003e\n\u003cli\u003eUpscale monitoring and detection capabilities to identify any suspicious activity related to MOVEit Automation, as recommended by the CCB.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u0026ldquo;Detect MOVEit Automation Authentication Bypass Attempt\u0026rdquo; to identify potential exploitation attempts targeting CVE-2026-4670 based on web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T15:08:49Z","date_published":"2026-05-04T15:08:49Z","id":"/briefs/2026-05-moveit-auth-bypass/","summary":"A critical authentication bypass vulnerability (CVE-2026-4670) in Progress MOVEit Automation allows an unauthenticated remote attacker to gain administrative access, potentially leading to full control over the application and sensitive file transfer workflows.","title":"Critical Authentication Bypass Vulnerability in MOVEit Automation (CVE-2026-4670)","url":"https://feed.craftedsignal.io/briefs/2026-05-moveit-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7750"}],"_cs_exploited":false,"_cs_products":["N300RH 3.2.4-B20220812"],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","router","cve","webserver"],"_cs_type":"advisory","_cs_vendors":["Totolink"],"content_html":"\u003cp\u003eA buffer overflow vulnerability, identified as CVE-2026-7750, affects Totolink N300RH router version 3.2.4-B20220812. The vulnerability resides in the \u003ccode\u003esetMacFilterRules\u003c/code\u003e function within the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file, which handles POST requests. Attackers can exploit this flaw by sending a specially crafted POST request with an overly long \u003ccode\u003emac_address\u003c/code\u003e parameter, triggering a buffer overflow. Successful exploitation allows for arbitrary code execution on the device. The vulnerability is remotely exploitable, and a public exploit is available, increasing the risk of widespread attacks. Defenders should prioritize patching or mitigating this vulnerability to prevent potential compromise of affected devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Totolink N300RH router running firmware version 3.2.4-B20220812.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker includes the \u003ccode\u003emac_address\u003c/code\u003e parameter, injecting a string longer than the buffer allocated for it.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esetMacFilterRules\u003c/code\u003e function processes the POST request without proper bounds checking on the \u003ccode\u003emac_address\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe overly long \u003ccode\u003emac_address\u003c/code\u003e value overflows the buffer, overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow to overwrite the return address, redirecting execution flow to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with the privileges of the web server, allowing the attacker to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control over the router, potentially using it for further malicious activities such as network pivoting, data exfiltration, or denial-of-service attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7750 allows a remote attacker to execute arbitrary code on the vulnerable Totolink N300RH device. This could lead to a complete compromise of the router, allowing the attacker to control network traffic, steal sensitive information, or use the router as a bot in a larger attack. Given the public availability of the exploit, a large number of unpatched devices could be vulnerable to automated attacks, potentially impacting thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or firmware updates provided by Totolink to address CVE-2026-7750.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection system (IDS) rules to detect and block suspicious POST requests targeting the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint with excessively long \u003ccode\u003emac_address\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e, focusing on requests with large \u003ccode\u003emac_address\u003c/code\u003e values.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T10:16:01Z","date_published":"2026-05-04T10:16:01Z","id":"/briefs/2026-05-totolink-buffer-overflow/","summary":"A buffer overflow vulnerability exists in Totolink N300RH 3.2.4-B20220812 allowing remote attackers to execute arbitrary code by manipulating the mac_address argument in the setMacFilterRules function of the /cgi-bin/cstecgi.cgi POST request handler.","title":"Totolink N300RH Buffer Overflow Vulnerability (CVE-2026-7750)","url":"https://feed.craftedsignal.io/briefs/2026-05-totolink-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7727"}],"_cs_exploited":false,"_cs_products":["PDM Product Data Management System (\u003c= 8.3.9)"],"_cs_severities":["high"],"_cs_tags":["sql-injection","cve-2026-7727","webserver"],"_cs_type":"advisory","_cs_vendors":["Shandong Hoteam Software"],"content_html":"\u003cp\u003eShandong Hoteam Software\u0026rsquo;s PDM Product Data Management System before version 8.3.10 is susceptible to a SQL injection vulnerability. The vulnerability exists in the \u003ccode\u003e/Base/BaseService.asmx/DataService\u003c/code\u003e file, specifically affecting the \u003ccode\u003eGetQueryMachineGridOnePageData\u003c/code\u003e function. By manipulating the \u003ccode\u003eSortOrder\u003c/code\u003e argument, a remote attacker can inject malicious SQL queries into the system. Successful exploitation could lead to unauthorized data access, modification, or even complete system compromise. Organizations using versions prior to 8.3.10 are urged to upgrade immediately to mitigate the risk. This vulnerability was reported on May 4, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Shandong Hoteam PDM instance running a version prior to 8.3.10.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/Base/BaseService.asmx/DataService\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP request, the attacker modifies the \u003ccode\u003eSortOrder\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSortOrder\u003c/code\u003e argument is injected with SQL code.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the attacker-supplied SQL code.\u003c/li\u003e\n\u003cli\u003eThe application executes the attacker-controlled SQL query against the backend database.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data stored within the database.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the data or uses it for further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability allows remote attackers to execute arbitrary SQL commands on the affected system. This can lead to unauthorized access to sensitive data, modification of data, or even complete compromise of the database server. Organizations using vulnerable versions of Shandong Hoteam PDM Product Data Management System could suffer significant data breaches, financial losses, and reputational damage. There are no specific victim counts or sector targeting available, but this could affect any organization utilizing the vulnerable PDM system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Shandong Hoteam Software PDM Product Data Management System to version 8.3.10 or later to remediate the vulnerability as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eDetect Hoteam PDM SQL Injection Attempt\u003c/code\u003e to identify malicious requests targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing potentially malicious SQL syntax in the \u003ccode\u003eSortOrder\u003c/code\u003e parameter, as described in the attack chain.\u003c/li\u003e\n\u003cli\u003eImplement proper input validation and sanitization techniques to prevent SQL injection vulnerabilities in web applications, mitigating similar risks in the future.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T05:16:00Z","date_published":"2026-05-04T05:16:00Z","id":"/briefs/2026-05-hoteam-pdm-sqli/","summary":"Shandong Hoteam Software PDM Product Data Management System up to version 8.3.9 is vulnerable to SQL injection via manipulation of the SortOrder argument in the GetQueryMachineGridOnePageData function of the /Base/BaseService.asmx/DataService file, allowing remote attackers to potentially execute arbitrary SQL commands.","title":"Shandong Hoteam PDM Product Data Management System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-hoteam-pdm-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7694"}],"_cs_exploited":false,"_cs_products":["ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","cve-2026-7694","webserver"],"_cs_type":"advisory","_cs_vendors":["Acrel Electrical"],"content_html":"\u003cp\u003eAcrel Electrical\u0026rsquo;s ECEMS Enterprise Microgrid Energy Efficiency Management System version 1.3.0 is vulnerable to SQL injection. The vulnerability resides in the \u003ccode\u003e/SubstationWEBV2/main/elecMaxMinAvgValue\u003c/code\u003e file, where manipulation of the \u003ccode\u003efCircuitids\u003c/code\u003e argument allows for the injection of arbitrary SQL commands. The vulnerability, identified as CVE-2026-7694, can be exploited remotely without authentication, posing a significant risk to systems exposed to the network. The vendor was notified but did not respond, and a public exploit is available, increasing the likelihood of exploitation. This flaw allows attackers to potentially access, modify, or delete sensitive data within the ECEMS database.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an accessible instance of Acrel ECEMS 1.3.0.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SQL payload designed to extract sensitive information or modify the database.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to \u003ccode\u003e/SubstationWEBV2/main/elecMaxMinAvgValue\u003c/code\u003e with the SQL payload embedded in the \u003ccode\u003efCircuitids\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe ECEMS application fails to properly sanitize the \u003ccode\u003efCircuitids\u003c/code\u003e input.\u003c/li\u003e\n\u003cli\u003eThe application executes the attacker-supplied SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe database server processes the malicious query, potentially returning sensitive data or executing harmful commands.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the output of the injected SQL query.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted information for further malicious activities, such as data exfiltration, privilege escalation, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could allow an attacker to read sensitive information from the ECEMS database, modify existing data, or even gain administrative access to the system. This could lead to the compromise of energy efficiency management data, potentially impacting grid stability and financial records. Given the lack of vendor response and the availability of a public exploit, organizations using the affected software are at high risk. The impact includes potential data breaches, system outages, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for suspicious requests to \u003ccode\u003e/SubstationWEBV2/main/elecMaxMinAvgValue\u003c/code\u003e containing potentially malicious SQL syntax within the \u003ccode\u003efCircuitids\u003c/code\u003e parameter (see Sigma rule \u0026ldquo;Detect Acrel ECEMS SQL Injection Attempt\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SQL Injection Error Messages\u0026rdquo; to identify potential SQL injection attempts across all web applications.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to all user-supplied input, especially the \u003ccode\u003efCircuitids\u003c/code\u003e parameter in \u003ccode\u003e/SubstationWEBV2/main/elecMaxMinAvgValue\u003c/code\u003e, to prevent SQL injection.\u003c/li\u003e\n\u003cli\u003eConsider deploying a web application firewall (WAF) to filter out malicious requests targeting this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-03T12:15:59Z","date_published":"2026-05-03T12:15:59Z","id":"/briefs/2026-05-acrel-sql-injection/","summary":"A SQL injection vulnerability in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0 allows remote attackers to execute arbitrary SQL commands by manipulating the 'fCircuitids' argument in the '/SubstationWEBV2/main/elecMaxMinAvgValue' file.","title":"Acrel ECEMS SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-acrel-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7684"}],"_cs_exploited":false,"_cs_products":["BR-6428nC (\u003c= 1.16)"],"_cs_severities":["critical"],"_cs_tags":["buffer overflow","cve-2026-7684","webserver"],"_cs_type":"advisory","_cs_vendors":["Edimax"],"content_html":"\u003cp\u003eA buffer overflow vulnerability, tracked as CVE-2026-7684, affects Edimax BR-6428nC devices up to version 1.16. The vulnerability resides in the \u003ccode\u003e/goform/setWAN\u003c/code\u003e file, specifically within the handling of the \u003ccode\u003epptpDfGateway\u003c/code\u003e argument. An unauthenticated attacker can exploit this flaw remotely by sending a crafted request to the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. The vendor was notified but did not respond, suggesting that a patch is unlikely and highlighting the need for mitigation strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Edimax BR-6428nC device running a vulnerable firmware version (\u0026lt;= 1.16).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/setWAN\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003epptpDfGateway\u003c/code\u003e parameter with a value exceeding the expected buffer size.\u003c/li\u003e\n\u003cli\u003eThe device processes the request, and the oversized \u003ccode\u003epptpDfGateway\u003c/code\u003e value overflows the buffer, overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow to overwrite the return address, redirecting execution flow.\u003c/li\u003e\n\u003cli\u003eExecution is redirected to attacker-controlled code injected within the overflowed buffer.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the device, potentially achieving full system control.\u003c/li\u003e\n\u003cli\u003eThe attacker could then use this control to modify device settings, intercept network traffic, or establish a persistent backdoor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can allow an attacker to gain complete control of the Edimax BR-6428nC device. This could enable the attacker to intercept and modify network traffic, access sensitive information, or use the device as a point of entry for further attacks within the network. Given the public availability of exploit code, the risk of widespread exploitation is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eEdimax_BR_6428nC_Buffer_Overflow_setWAN\u003c/code\u003e to detect suspicious HTTP requests targeting the vulnerable endpoint and parameter.\u003c/li\u003e\n\u003cli\u003eConsider blocking or rate-limiting access to the \u003ccode\u003e/goform/setWAN\u003c/code\u003e endpoint from untrusted networks.\u003c/li\u003e\n\u003cli\u003eSince the vendor is unresponsive and a patch is unlikely, network segmentation and access control policies are the best mitigation options.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-03T07:16:25Z","date_published":"2026-05-03T07:16:25Z","id":"/briefs/2026-05-edimax-br-6428nc-buffer-overflow/","summary":"A remote buffer overflow vulnerability exists in Edimax BR-6428nC devices up to version 1.16 via manipulation of the pptpDfGateway argument in the /goform/setWAN file, potentially allowing for arbitrary code execution.","title":"Edimax BR-6428nC Buffer Overflow Vulnerability (CVE-2026-7684)","url":"https://feed.craftedsignal.io/briefs/2026-05-edimax-br-6428nc-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7685"}],"_cs_exploited":false,"_cs_products":["BR-6208AC (\u003c= 1.02)"],"_cs_severities":["critical"],"_cs_tags":["buffer overflow","cve-2026-7685","router","webserver"],"_cs_type":"advisory","_cs_vendors":["Edimax"],"content_html":"\u003cp\u003eA buffer overflow vulnerability, CVE-2026-7685, has been identified in Edimax BR-6208AC routers up to version 1.02. The vulnerability resides within the \u003ccode\u003e/goform/setWAN\u003c/code\u003e file, specifically related to the \u003ccode\u003epptpDfGateway\u003c/code\u003e argument. Successful exploitation of this flaw could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. Publicly available exploits exist, increasing the risk of widespread exploitation. The vendor was notified but has not responded. Given the ease of exploitation and the potential for significant impact, this vulnerability poses a critical threat to affected devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an Edimax BR-6208AC router with firmware version 1.02 or earlier exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/setWAN\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker includes the \u003ccode\u003epptpDfGateway\u003c/code\u003e argument, injecting a payload exceeding the buffer\u0026rsquo;s expected size.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s web server processes the malicious request without proper input validation on the size of the \u003ccode\u003epptpDfGateway\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe oversized payload overwrites adjacent memory regions on the stack, potentially including return addresses or other critical data.\u003c/li\u003e\n\u003cli\u003eWhen the function attempts to return, it jumps to an address controlled by the attacker, leading to arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to gain control of the device, potentially installing malware or modifying router settings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete compromise of the Edimax BR-6208AC router. An attacker could leverage this access to perform a variety of malicious activities, including eavesdropping on network traffic, injecting malicious code into web pages served by the router, or using the router as a bot in a larger botnet. Given the availability of public exploits, unpatched devices are at immediate risk of compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Edimax BR-6208AC setWAN Buffer Overflow Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for POST requests to \u003ccode\u003e/goform/setWAN\u003c/code\u003e containing unusually long \u003ccode\u003epptpDfGateway\u003c/code\u003e parameters, as detected by the Sigma rule \u003ccode\u003eDetect Long pptpDfGateway Parameter\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eApply appropriate network segmentation to limit the blast radius of compromised devices and prevent lateral movement.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-03T07:16:25Z","date_published":"2026-05-03T07:16:25Z","id":"/briefs/2026-05-edimax-bo/","summary":"A buffer overflow vulnerability exists in Edimax BR-6208AC devices (\u003c= 1.02) via manipulation of the pptpDfGateway argument in the /goform/setWAN endpoint, potentially allowing remote attackers to execute arbitrary code.","title":"Edimax BR-6208AC Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-edimax-bo/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7593"}],"_cs_exploited":false,"_cs_products":["command-executor-mcp-server"],"_cs_severities":["high"],"_cs_tags":["cve-2026-7593","command-injection","webserver"],"_cs_type":"advisory","_cs_vendors":["Sunwood-ai-labs"],"content_html":"\u003cp\u003eA critical security vulnerability, identified as CVE-2026-7593, affects Sunwood-ai-labs command-executor-mcp-server versions up to 0.1.0. This vulnerability resides within the \u003ccode\u003eexecute_command\u003c/code\u003e function of the \u003ccode\u003esrc/index.ts\u003c/code\u003e file, a component of the MCP Interface. Successful exploitation allows a remote attacker to inject and execute arbitrary operating system commands on the server. The vulnerability has been publicly disclosed, making it a high-risk issue for systems running the affected software. The vendor was notified through an issue report but has not yet responded, potentially increasing the window of opportunity for attackers. Defenders should prioritize patching or mitigating this vulnerability to prevent unauthorized command execution and potential system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable instance of Sunwood-ai-labs command-executor-mcp-server running version 0.1.0 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003eexecute_command\u003c/code\u003e function within the MCP Interface.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes an OS command injection payload.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexecute_command\u003c/code\u003e function in \u003ccode\u003esrc/index.ts\u003c/code\u003e fails to properly sanitize or neutralize the input, passing it directly to the operating system.\u003c/li\u003e\n\u003cli\u003eThe operating system executes the attacker-supplied command with the privileges of the server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use this access to perform further actions such as escalating privileges, installing malware, or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7593 allows an attacker to execute arbitrary commands on the affected server. This could lead to complete system compromise, including data theft, service disruption, or the deployment of malicious software. Given the ease of exploitation and the public availability of exploit code, organizations using the vulnerable Sunwood-ai-labs command-executor-mcp-server are at significant risk. While the exact number of affected installations is unknown, the potential impact is severe due to the possibility of full remote control over the compromised server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates from Sunwood-ai-labs to address CVE-2026-7593.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures within the \u003ccode\u003eexecute_command\u003c/code\u003e function to prevent OS command injection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Command Execution via MCP Server\u003c/code\u003e to identify potential exploitation attempts (see below).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious requests targeting the MCP Interface, specifically those containing command injection payloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T21:16:17Z","date_published":"2026-05-01T21:16:17Z","id":"/briefs/2026-05-sunwood-command-injection/","summary":"CVE-2026-7593 is an OS command injection vulnerability in Sunwood-ai-labs command-executor-mcp-server up to version 0.1.0, allowing remote attackers to execute arbitrary commands via the execute_command function in src/index.ts.","title":"Sunwood-ai-labs command-executor-mcp-server OS Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-sunwood-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-41940"}],"_cs_exploited":false,"_cs_products":["WHM","cPanel"],"_cs_severities":["critical"],"_cs_tags":["cpanel","whm","authentication-bypass","CVE-2026-41940","webserver"],"_cs_type":"advisory","_cs_vendors":["cPanel"],"content_html":"\u003cp\u003eOn April 28, 2026, a critical authentication bypass vulnerability (CVE-2026-41940) was disclosed affecting cPanel and WHM. This vulnerability impacts versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. The vulnerability exists within the login flow, allowing unauthenticated remote attackers to bypass authentication and gain unauthorized access to the control panel. Successful exploitation grants attackers complete control over the affected cPanel and WHM instances, potentially leading to data theft, server compromise, and further malicious activities. This vulnerability poses a significant risk to web hosting providers and their customers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP request to the cPanel/WHM login page, exploiting the authentication bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eThe vulnerable cPanel/WHM version fails to properly validate the request, allowing the attacker to bypass the login process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the cPanel/WHM interface.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates the server to identify valuable files, directories, and database configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised cPanel/WHM access to upload malicious scripts or binaries.\u003c/li\u003e\n\u003cli\u003eThe attacker executes uploaded payloads to establish persistent access, such as a web shell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to perform arbitrary commands on the server, including escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data, defaces websites, or deploys ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41940 can lead to complete compromise of cPanel and WHM servers. This can result in data breaches, website defacement, and denial-of-service attacks. The vulnerability affects a wide range of cPanel and WHM installations, potentially impacting thousands of web hosting providers and their customers. The high CVSS score (9.8) reflects the severity of the risk and the ease with which it can be exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade cPanel and WHM installations to versions 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5, or later to patch CVE-2026-41940.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity and unauthorized access attempts to the cPanel/WHM interface by deploying the Sigma rule \u003ccode\u003eDetectCpanelAuthBypassAccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit access to cPanel/WHM administrative interfaces and monitor the user activity by deploying the Sigma rule \u003ccode\u003eDetectCpanelAccountManipulation\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T16:16:25Z","date_published":"2026-04-29T16:16:25Z","id":"/briefs/2026-04-cpanel-auth-bypass/","summary":"An authentication bypass vulnerability in cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 allows unauthenticated remote attackers to gain unauthorized access to the control panel.","title":"cPanel and WHM Authentication Bypass Vulnerability (CVE-2026-41940)","url":"https://feed.craftedsignal.io/briefs/2026-04-cpanel-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7061"}],"_cs_exploited":false,"_cs_products":["chatgpt-mcp-server"],"_cs_severities":["high"],"_cs_tags":["cve-2026-7061","command-injection","webserver"],"_cs_type":"advisory","_cs_vendors":["Toowiredd"],"content_html":"\u003cp\u003eToowiredd chatgpt-mcp-server, specifically versions up to 0.1.0, contains an OS command injection vulnerability within the \u003ccode\u003esrc/services/docker.service.ts\u003c/code\u003e file of the MCP/HTTP component. This flaw allows for remote exploitation, potentially enabling attackers to execute arbitrary commands on the underlying operating system. The vulnerability, identified as CVE-2026-7061, has a publicly available exploit, increasing the risk of exploitation. The project maintainers were notified via an issue report but have not yet addressed the vulnerability, making it crucial for defenders to implement mitigation and detection measures. This poses a significant risk to systems running vulnerable versions of chatgpt-mcp-server, as successful exploitation could lead to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of Toowiredd chatgpt-mcp-server running version 0.1.0 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the MCP/HTTP component.\u003c/li\u003e\n\u003cli\u003eThe request exploits the command injection vulnerability in \u003ccode\u003esrc/services/docker.service.ts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server-side code improperly sanitizes input, allowing the attacker to inject OS commands.\u003c/li\u003e\n\u003cli\u003eThe injected OS command is executed by the server with the privileges of the chatgpt-mcp-server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial access to escalate privileges or move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration, deploying malware, or disrupting services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this OS command injection vulnerability (CVE-2026-7061) in Toowiredd chatgpt-mcp-server can lead to complete system compromise. Attackers can execute arbitrary commands, potentially leading to data breaches, service disruption, or the deployment of malicious software. Given the public availability of the exploit, organizations using this software are at a heightened risk of attack. The lack of a patch from the project maintainers further exacerbates the risk, making proactive detection and mitigation measures essential.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests targeting the MCP/HTTP component of chatgpt-mcp-server, focusing on requests that might be attempting command injection (log source: webserver, product: linux).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious chatgpt-mcp-server Command Injection Attempts\u0026rdquo; to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eRestrict access to the chatgpt-mcp-server instance to minimize the attack surface.\u003c/li\u003e\n\u003cli\u003eConsider deploying a web application firewall (WAF) to filter out malicious requests.\u003c/li\u003e\n\u003cli\u003eMonitor child processes spawned by the chatgpt-mcp-server process for unexpected or malicious commands (log source: process_creation, product: linux).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-26T22:17:33Z","date_published":"2026-04-26T22:17:33Z","id":"/briefs/2026-04-chatgpt-mcp-server-cmd-injection/","summary":"Toowiredd chatgpt-mcp-server up to version 0.1.0 is vulnerable to OS command injection via the file src/services/docker.service.ts of the component MCP/HTTP, allowing for remote exploitation.","title":"Toowiredd chatgpt-mcp-server OS Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-chatgpt-mcp-server-cmd-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41058"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path traversal","cve-2026-41058","avideo","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWWBN AVideo is an open-source video platform. Versions 29.0 and below are vulnerable to a path traversal vulnerability (CVE-2026-41058) due to an incomplete fix for the \u003ccode\u003edeleteDump\u003c/code\u003e parameter in the CloneSite functionality. This vulnerability allows unauthenticated attackers to delete arbitrary files on the server by injecting \u003ccode\u003e../../\u003c/code\u003e sequences into the GET request. The vulnerability was reported on April 21, 2026, and a fix is available in commit 3c729717c26f160014a5c86b0b6accdbd613e7b2. Successful exploitation allows attackers to potentially disrupt service, delete sensitive data, or escalate privileges depending on the file permissions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an AVideo instance running version 29.0 or below.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the CloneSite functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a path traversal sequence (e.g., \u003ccode\u003e../../\u003c/code\u003e) into the \u003ccode\u003edeleteDump\u003c/code\u003e parameter of the GET request.\u003c/li\u003e\n\u003cli\u003eThe AVideo application fails to properly sanitize the \u003ccode\u003edeleteDump\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function is called with the attacker-controlled path, allowing deletion of arbitrary files.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the vulnerability to delete critical system files or configuration files.\u003c/li\u003e\n\u003cli\u003eThe application or server becomes unstable or inoperable.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41058 allows unauthenticated attackers to delete arbitrary files on the AVideo server. This can lead to denial of service, data loss, or potential privilege escalation if critical system files are deleted. The vulnerability affects all AVideo instances running version 29.0 or below, potentially impacting a large number of users and organizations relying on the platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade AVideo instances to a version containing the fix from commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 to address CVE-2026-41058.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AVideo Path Traversal Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests containing path traversal sequences in the \u003ccode\u003edeleteDump\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the CloneSite functionality and the \u003ccode\u003edeleteDump\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-avideo-path-traversal/","summary":"WWBN AVideo versions 29.0 and below contain a path traversal vulnerability (CVE-2026-41058) in the CloneSite functionality, allowing unauthenticated attackers to delete arbitrary files via manipulation of the `deleteDump` parameter.","title":"WWBN AVideo Unauthenticated Path Traversal Vulnerability (CVE-2026-41058)","url":"https://feed.craftedsignal.io/briefs/2026-04-avideo-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-6023"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6023","telerik","deserialization","rce","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6023 exposes a critical vulnerability within the RadFilter control of Progress Telerik UI for AJAX. Affecting versions 2024.4.1114 to 2026.1.421, this flaw stems from insecure deserialization practices. The vulnerability arises when the filter state is exposed to the client, enabling malicious actors to manipulate this state. Successful exploitation grants attackers the ability to execute arbitrary code on the server. This vulnerability poses a significant risk to organizations utilizing the affected Telerik UI for AJAX versions, potentially leading to complete system compromise and data breaches. Defenders must promptly address this issue through patching or mitigation strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a web application utilizing a vulnerable version of Progress Telerik UI for AJAX (2024.4.1114 - 2026.1.421) with the RadFilter control enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker observes the RadFilter control\u0026rsquo;s behavior, specifically how filter states are serialized and exposed to the client-side, typically within the HTTP request or response.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the serialized filter state data, often Base64 encoded or similar, transmitted between the client and server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious serialized payload containing instructions to execute arbitrary code on the server. This involves exploiting the insecure deserialization process.\u003c/li\u003e\n\u003cli\u003eThe attacker replaces the original, legitimate serialized filter state with the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the modified request containing the malicious serialized data to the server.\u003c/li\u003e\n\u003cli\u003eThe Telerik UI for AJAX application on the server attempts to deserialize the tampered data using the RadFilter control.\u003c/li\u003e\n\u003cli\u003eDue to the insecure deserialization vulnerability, the malicious payload is executed, granting the attacker remote code execution on the server. The attacker can then perform actions such as installing malware, exfiltrating sensitive data, or disrupting services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6023 can lead to complete compromise of the affected server. An attacker can gain remote code execution, enabling them to install malware, steal sensitive data, or disrupt critical business operations. Given the widespread use of Telerik UI in enterprise applications, this vulnerability could potentially impact a large number of organizations across various sectors. Unpatched systems are at high risk of being exploited, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Progress Telerik UI for AJAX to a patched version outside the range of 2024.4.1114 through 2026.1.421 to remediate CVE-2026-6023.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Telerik RadFilter Deserialization Attempt\u003c/code\u003e to identify attempts to exploit the deserialization vulnerability by monitoring for suspicious HTTP requests targeting the RadFilter control (Log source: webserver).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the server-side to prevent malicious data from being deserialized.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to the RadFilter control, such as requests with abnormally large or malformed serialized data (Log source: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T08:16:13Z","date_published":"2026-04-22T08:16:13Z","id":"/briefs/2026-04-telerik-rce/","summary":"An insecure deserialization vulnerability exists in Progress Telerik UI for AJAX's RadFilter control (versions 2024.4.1114 through 2026.1.421) allowing remote code execution via tampering with the filter state exposed to the client.","title":"Insecure Deserialization Vulnerability in Telerik UI for AJAX RadFilter Control (CVE-2026-6023)","url":"https://feed.craftedsignal.io/briefs/2026-04-telerik-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-33519"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["esri","arcgis","privilege-escalation","incorrect-authorization","cve-2026-33519","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33519 is a critical incorrect authorization vulnerability affecting Esri Portal for ArcGIS versions 11.4, 11.5, and 12.0. This flaw exists across Windows, Linux, and Kubernetes deployments and stems from the application\u0026rsquo;s failure to properly validate permissions assigned to developer credentials. This oversight allows attackers with malicious intent to potentially bypass intended authorization controls and escalate privileges within the ArcGIS portal. Given the widespread use of ArcGIS in critical infrastructure and mapping applications, this vulnerability poses a significant risk to organizations relying on these systems. Successful exploitation could lead to unauthorized access to sensitive data, modification of system configurations, or disruption of critical services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the Esri Portal for ArcGIS application, potentially through compromised developer credentials or exploiting other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages developer APIs or interfaces within ArcGIS Portal.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to perform actions that require elevated privileges but lack proper authorization checks due to the vulnerability (CVE-2026-33519).\u003c/li\u003e\n\u003cli\u003eThe system incorrectly grants the attacker access to restricted functions or data due to the insufficient permission validation.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by exploiting the unauthorized access to modify user roles or system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages elevated privileges to access sensitive data stored within the ArcGIS Portal, such as maps, geospatial data, or user information.\u003c/li\u003e\n\u003cli\u003eThe attacker may further compromise the system by installing malicious extensions or modifying core system files.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete control over the ArcGIS Portal, potentially leading to data breaches, service disruption, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33519 can lead to significant damage, including unauthorized access to sensitive geospatial data, modification of critical system configurations, and potential disruption of services reliant on ArcGIS Portal. Given the wide use of ArcGIS in government, utilities, and transportation sectors, a successful attack could impact essential services. The lack of proper authorization checks on developer credentials can expose organizations to data breaches, financial losses, and reputational damage. This vulnerability affects all deployments of Esri Portal for ArcGIS 11.4, 11.5, and 12.0 on Windows, Linux, and Kubernetes, potentially impacting a large number of organizations globally.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch released by Esri to address CVE-2026-33519 immediately after thorough testing in a non-production environment.\u003c/li\u003e\n\u003cli\u003eReview and enforce strict permission controls for all developer credentials used within Esri Portal for ArcGIS to minimize the attack surface.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious ArcGIS Developer API Usage\u003c/code\u003e to identify potential exploitation attempts targeting CVE-2026-33519.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to developer API endpoints in ArcGIS Portal, looking for unauthorized access attempts.\u003c/li\u003e\n\u003cli\u003eEnable detailed logging for ArcGIS Portal\u0026rsquo;s authorization and authentication mechanisms to improve visibility into potential privilege escalation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T21:16:29Z","date_published":"2026-04-21T21:16:29Z","id":"/briefs/2026-04-esri-privesc/","summary":"CVE-2026-33519 is a critical vulnerability in Esri Portal for ArcGIS 11.4, 11.5, and 12.0, where incorrect authorization checks on developer credentials can lead to unauthorized privilege escalation on Windows, Linux, and Kubernetes deployments.","title":"Esri Portal for ArcGIS Incorrect Authorization Vulnerability (CVE-2026-33519)","url":"https://feed.craftedsignal.io/briefs/2026-04-esri-privesc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["tenda","router","buffer_overflow","cve-2026-6631","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6631 is a critical buffer overflow vulnerability affecting Tenda F451 routers running firmware version 1.0.0.7_cn_svn7958. The vulnerability resides in the \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function within the \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e component of the router\u0026rsquo;s \u003ccode\u003ehttpd\u003c/code\u003e web server. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request with an overly long \u0026lsquo;page\u0026rsquo; parameter. Publicly available exploits exist, increasing the risk of widespread exploitation. Successful exploitation allows attackers to execute arbitrary code on the router, potentially leading to full device compromise and network access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Tenda F451 router exposed to the internet.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET or POST request targeting \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes the \u003ccode\u003epage\u003c/code\u003e parameter with a payload exceeding the buffer size allocated for it.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehttpd\u003c/code\u003e server processes the request and passes the \u003ccode\u003epage\u003c/code\u003e parameter to the vulnerable \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper bounds checking, the overly long \u003ccode\u003epage\u003c/code\u003e parameter overwrites adjacent memory regions on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully designs the overflow payload to overwrite the return address on the stack with the address of malicious code injected elsewhere in memory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function completes execution and attempts to return, jumping to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s malicious code executes with the privileges of the \u003ccode\u003ehttpd\u003c/code\u003e server, potentially gaining full control of the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6631 allows remote attackers to execute arbitrary code on vulnerable Tenda F451 routers. This can lead to complete device compromise, allowing attackers to modify router settings, intercept network traffic, or use the router as a point of entry for further attacks on the internal network. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, potentially impacting both home and small business networks. The availability of public exploits further increases the likelihood of exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available firmware updates from Tenda to patch CVE-2026-6631.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e with unusually long \u003ccode\u003epage\u003c/code\u003e parameters, using the Sigma rule \u003ccode\u003eDetectTendaF451BufferOverflow\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection systems (IDS) to detect and block exploit attempts targeting CVE-2026-6631.\u003c/li\u003e\n\u003cli\u003eConsider deploying the Sigma rule \u003ccode\u003eDetectTendaF451SuspiciousProcess\u003c/code\u003e to identify unexpected processes spawned by the httpd daemon.\u003c/li\u003e\n\u003cli\u003eIf patching is not immediately feasible, consider restricting access to the router\u0026rsquo;s web interface from the public internet to mitigate the risk of remote exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T11:16:19Z","date_published":"2026-04-20T11:16:19Z","id":"/briefs/2026-04-tenda-f451-buffer-overflow/","summary":"A buffer overflow vulnerability (CVE-2026-6631) in Tenda F451 router version 1.0.0.7_cn_svn7958 allows remote attackers to execute arbitrary code by manipulating the 'page' argument in the /goform/webExcptypemanFilter component.","title":"Tenda F451 Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-f451-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33806"},{"cvss":7.5,"id":"CVE-2025-32442"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["fastify","validation-bypass","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFastify v5.x (specifically versions 5.3.2 through 5.8.4) contains a vulnerability where request body validation schemas specified via \u003ccode\u003eschema.body.content\u003c/code\u003e can be bypassed by prepending a single space character (\u003ccode\u003e\\x20\u003c/code\u003e) to the \u003ccode\u003eContent-Type\u003c/code\u003e header. This flaw, assigned CVE-2026-33806, arises from inconsistent handling of the Content-Type header during parsing and validation.  The body is parsed correctly as JSON, but schema validation is skipped entirely. This is a regression introduced by commit \u003ccode\u003ef3d2bcb\u003c/code\u003e (April 18, 2025), a fix for CVE-2025-32442. This vulnerability allows attackers to send malicious payloads that bypass intended data integrity and security checks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Fastify application using \u003ccode\u003eschema.body.content\u003c/code\u003e for request body validation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request with a JSON payload designed to violate the validation schema (e.g., exceeding allowed amount or injecting invalid admin value).\u003c/li\u003e\n\u003cli\u003eThe attacker prepends a single space character to the \u003ccode\u003eContent-Type\u003c/code\u003e header (e.g., \u003ccode\u003e Content-Type: application/json\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Fastify server parses the \u003ccode\u003eContent-Type\u003c/code\u003e header using \u003ccode\u003elib/validation.js\u003c/code\u003e which splits the string, resulting in an empty string content type.\u003c/li\u003e\n\u003cli\u003eThe server fails to locate a validator associated with the empty string content type.\u003c/li\u003e\n\u003cli\u003eRequest body validation is skipped, and the malicious payload is processed by the application.\u003c/li\u003e\n\u003cli\u003eThe application processes the invalid data, potentially leading to unauthorized actions or data corruption.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as transferring an excessive amount, manipulating data, or gaining unauthorized privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability affects Fastify applications using \u003ccode\u003eschema.body.content\u003c/code\u003e for request body validation. By prepending a single space to the Content-Type header, attackers can bypass these validations. Successful exploitation allows an attacker to inject malicious payloads, leading to data corruption, unauthorized access, or other security breaches. While the exact number of victims is unknown, any application within the vulnerable version range is susceptible. This vulnerability requires no authentication and has zero complexity — it is a single-character modification to an HTTP header.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix by adding \u003ccode\u003etrimStart()\u003c/code\u003e before the split in \u003ccode\u003egetEssenceMediaType\u003c/code\u003e within the Fastify framework to address CVE-2026-33806.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Fastify Validation Bypass Attempt\u0026rdquo; to your SIEM to identify attempts to exploit this vulnerability by monitoring for requests with leading spaces in the Content-Type header.\u003c/li\u003e\n\u003cli\u003eUpgrade Fastify to a version beyond 5.8.4 to mitigate CVE-2026-33806.\u003c/li\u003e\n\u003cli\u003eReview all Fastify routes that use \u003ccode\u003eschema.body.content\u003c/code\u003e for potential vulnerabilities related to content-type validation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T19:26:39Z","date_published":"2026-04-15T19:26:39Z","id":"/briefs/2026-06-27-fastify-validation-bypass/","summary":"Fastify v5.x is vulnerable to a body schema validation bypass, allowing attackers to circumvent request body validation by prepending a single space to the Content-Type header, potentially compromising data integrity and security constraints.","title":"Fastify Body Schema Validation Bypass via Leading Space in Content-Type Header","url":"https://feed.craftedsignal.io/briefs/2026-06-27-fastify-validation-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-2332"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["request-smuggling","jetty","CVE-2026-2332","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eJetty versions 9.4.0 through 12.1.6 are vulnerable to HTTP request smuggling due to incorrect parsing of quoted strings in HTTP/1.1 chunked transfer encoding extensions. This flaw stems from Jetty\u0026rsquo;s premature termination of chunk header parsing upon encountering a carriage return and line feed (CRLF) sequence within a quoted string, violating RFC 9112 specifications. An attacker can exploit this vulnerability to inject malicious HTTP requests into the application\u0026rsquo;s request stream, potentially bypassing security controls, poisoning caches, and even hijacking user sessions. This issue, identified as CVE-2026-2332, poses a significant risk to applications using affected Jetty versions. The vulnerability was discovered during research into \u0026ldquo;Funky Chunks\u0026rdquo; HTTP request smuggling techniques and highlights the importance of rigorous adherence to RFC specifications in HTTP server implementations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request with chunked transfer encoding to a vulnerable Jetty server.\u003c/li\u003e\n\u003cli\u003eThe chunk header includes a quoted string within the chunk extension, containing a CRLF sequence. For example: \u003ccode\u003eChunk: 1;a=\u0026quot;\\r\\n\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eJetty incorrectly parses the chunk header, terminating parsing at the CRLF within the quoted string.\u003c/li\u003e\n\u003cli\u003eThe remaining portion of the intended chunk extension and subsequent data are interpreted as the beginning of a new HTTP request.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious HTTP GET request intended to be smuggled, such as \u003ccode\u003eGET /smuggled HTTP/1.1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe smuggled request is processed by the server, potentially bypassing frontend security checks.\u003c/li\u003e\n\u003cli\u003eThe server responds to the smuggled request.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the smuggled request to poison the cache, bypass access controls, or potentially hijack user sessions by intercepting sensitive data in the smuggled response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to inject arbitrary HTTP requests into the application\u0026rsquo;s request stream. This can lead to several severe consequences, including: cache poisoning, where malicious content is served to legitimate users; access control bypass, enabling unauthorized access to sensitive resources; and session hijacking, allowing attackers to impersonate other users. The vulnerability impacts Jetty versions 9.4.0 through 12.1.6. The number of affected installations is currently unknown. The primary target is any web application utilizing a vulnerable version of Jetty.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Jetty that addresses CVE-2026-2332.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Jetty HTTP Request Smuggling\u003c/code\u003e to your SIEM and tune for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for malformed chunk headers containing CRLF sequences within quoted strings, as this indicates a potential exploitation attempt.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-jetty-request-smuggling/","summary":"Jetty is vulnerable to HTTP request smuggling due to improper parsing of quoted strings in HTTP/1.1 chunked transfer encoding extension values, potentially allowing attackers to inject arbitrary HTTP requests, poison caches, and bypass security controls.","title":"Jetty HTTP Request Smuggling via Chunked Extension Quoted-String Parsing","url":"https://feed.craftedsignal.io/briefs/2026-04-jetty-request-smuggling/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2019-25697"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2019-25697","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCMSsite 1.0 is susceptible to an SQL injection vulnerability (CVE-2019-25697) within the category.php script. This flaw allows unauthenticated, remote attackers to inject arbitrary SQL commands by manipulating the \u003ccode\u003ecat_id\u003c/code\u003e GET parameter. Successful exploitation could lead to the disclosure of sensitive information stored within the database, including user credentials and other application data. Given the ease of exploitation and the potential impact, this vulnerability poses a significant risk to organizations using the affected CMSsite version. The vulnerability was reported to NVD and assigned a CVSS v3.1 score of 8.2, indicating high severity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a CMSsite 1.0 installation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting \u003ccode\u003ecategory.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u003ccode\u003ecat_id\u003c/code\u003e parameter of the GET request, for example: \u003ccode\u003ecategory.php?cat_id=1' OR '1'='1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and passes the tainted \u003ccode\u003ecat_id\u003c/code\u003e value to the underlying SQL database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code manipulates the database query, potentially bypassing intended security checks.\u003c/li\u003e\n\u003cli\u003eThe database executes the modified query, returning sensitive data to the web server.\u003c/li\u003e\n\u003cli\u003eThe web server includes the extracted data in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the HTTP response to extract sensitive information such as usernames, passwords, or other confidential data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability allows an unauthenticated attacker to read sensitive information from the CMSsite 1.0 database. This can lead to complete compromise of the application, including unauthorized access to user accounts, exposure of confidential data, and potential further attacks on the underlying system. Given the lack of required authentication, any CMSsite 1.0 instance exposed to the internet is a potential target.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization to the \u003ccode\u003ecat_id\u003c/code\u003e parameter in \u003ccode\u003ecategory.php\u003c/code\u003e to prevent SQL injection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious GET Requests to category.php with SQL Injection Attempts\u0026rdquo; to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eRestrict database access privileges to the minimum necessary for the application to function.\u003c/li\u003e\n\u003cli\u003eConsider upgrading to a more secure CMS solution or applying a patch if one becomes available.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and monitor for unusual activity, paying close attention to GET requests targeting \u003ccode\u003ecategory.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement parameterized queries or prepared statements to prevent SQL injection vulnerabilities when interacting with the database.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T13:16:32Z","date_published":"2026-04-12T13:16:32Z","id":"/briefs/2026-04-cmssite-sqli/","summary":"CMSsite 1.0 is vulnerable to unauthenticated SQL injection (CVE-2019-25697) via the cat_id parameter in category.php, allowing attackers to extract sensitive database information.","title":"CMSsite 1.0 SQL Injection Vulnerability (CVE-2019-25697)","url":"https://feed.craftedsignal.io/briefs/2026-04-cmssite-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33710"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-33710","chamilo","api-key","brute-force","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS, a popular learning management system, contains a vulnerability in versions prior to 1.11.38 and 2.0.0-RC.3 related to the generation of REST API keys (CVE-2026-33710). The API keys are generated using a flawed algorithm: \u003ccode\u003emd5(time() + (user_id * 5) - rand(10000, 10000))\u003c/code\u003e. Due to \u003ccode\u003erand(10000, 10000)\u003c/code\u003e always returning 10000, the formula simplifies to \u003ccode\u003emd5(timestamp + user_id*5 - 10000)\u003c/code\u003e. An attacker knowing a valid username and a rough estimate of when the API key was generated can brute-force the key due to the limited entropy. This vulnerability allows unauthorized access to the Chamilo LMS REST API. The vulnerability was reported and patched in versions 1.11.38 and 2.0.0-RC.3. This poses a significant threat to educational institutions and organizations using vulnerable versions of Chamilo LMS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target Chamilo LMS instance running a vulnerable version (prior to 1.11.38 or 2.0.0-RC.3).\u003c/li\u003e\n\u003cli\u003eAttacker obtains a valid username on the target Chamilo LMS instance through OSINT or credential stuffing.\u003c/li\u003e\n\u003cli\u003eAttacker estimates the API key creation time. This might be inferred from user activity or system logs.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a script to generate potential API keys based on the predictable formula \u003ccode\u003emd5(timestamp + user_id*5 - 10000)\u003c/code\u003e using the known username and estimated timestamp.\u003c/li\u003e\n\u003cli\u003eThe script iterates through a range of timestamps around the estimated creation time, generating corresponding MD5 hashes.\u003c/li\u003e\n\u003cli\u003eAttacker sends API requests with the generated API keys to the Chamilo LMS server.\u003c/li\u003e\n\u003cli\u003eThe server validates the API key against the user.\u003c/li\u003e\n\u003cli\u003eUpon successful validation, the attacker gains unauthorized access to the Chamilo LMS REST API, potentially allowing them to modify course content, access user data, or perform other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33710 can lead to unauthorized access to sensitive data within the Chamilo LMS, including user information, course materials, and grades. This could result in data breaches, academic fraud, and reputational damage for affected organizations. The vulnerability affects all organizations running vulnerable versions of Chamilo LMS; the number of victims is correlated to the number of vulnerable deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chamilo LMS installations to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-33710.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual API requests originating from unexpected IP addresses, especially those containing potentially valid API keys by deploying the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on API endpoints to mitigate brute-force attempts.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, consider temporarily disabling the REST API.\u003c/li\u003e\n\u003cli\u003eReview and audit user permissions within Chamilo LMS to minimize the impact of potential unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-chamilo-api-key-bruteforce/","summary":"Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 generate predictable REST API keys, allowing attackers with knowledge of a username and approximate key creation time to brute-force access.","title":"Chamilo LMS REST API Key Brute-Force Vulnerability (CVE-2026-33710)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-api-key-bruteforce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-34512"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["access-control","vulnerability","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.3.25 are susceptible to an improper access control vulnerability, tracked as CVE-2026-34512. This flaw resides in the \u003ccode\u003e/sessions/:sessionKey/kill\u003c/code\u003e HTTP route and allows any bearer-authenticated user, regardless of their assigned privileges, to execute admin-level session termination functions. The vulnerability stems from a lack of proper scope validation, enabling attackers to bypass intended ownership and operator scope restrictions. By sending crafted, authenticated requests, an attacker can leverage the \u003ccode\u003ekillSubagentRunAdmin\u003c/code\u003e function to terminate arbitrary subagent sessions. This unauthorized session termination could disrupt legitimate operations and lead to a denial-of-service condition for affected subagents.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the OpenClaw application using any valid user account, obtaining a bearer token.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target subagent session to terminate. This could involve enumerating active sessions or targeting a specific subagent.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request to the \u003ccode\u003e/sessions/:sessionKey/kill\u003c/code\u003e route, replacing \u003ccode\u003e:sessionKey\u003c/code\u003e with the session key of the target subagent.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the bearer token in the \u003ccode\u003eAuthorization\u003c/code\u003e header of the HTTP request.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw server receives the request and, due to the missing scope validation, executes the \u003ccode\u003ekillSubagentRunAdmin\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ekillSubagentRunAdmin\u003c/code\u003e function terminates the targeted subagent session, regardless of the attacker\u0026rsquo;s permissions.\u003c/li\u003e\n\u003cli\u003eThe targeted subagent is disconnected and its operations are interrupted.\u003c/li\u003e\n\u003cli\u003eThe attacker can repeat this process to terminate other subagent sessions, potentially causing widespread disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34512 allows any authenticated user to terminate arbitrary subagent sessions within the OpenClaw environment. This can lead to denial-of-service conditions for targeted subagents, potentially disrupting critical workflows and impacting overall system availability. While the specific number of potential victims is unknown, any OpenClaw deployment utilizing versions prior to 2026.3.25 is vulnerable. The impact is significant, as it allows low-privileged users to perform actions intended only for administrators.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.25 or later to patch CVE-2026-34512.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect OpenClaw Unauthorized Session Termination\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity targeting the \u003ccode\u003e/sessions/:sessionKey/kill\u003c/code\u003e route.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies and regularly review user permissions within OpenClaw to minimize the potential impact of compromised accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T22:16:29Z","date_published":"2026-04-09T22:16:29Z","id":"/briefs/2026-04-openclaw-access-control-bypass/","summary":"OpenClaw before 2026.3.25 contains an improper access control vulnerability (CVE-2026-34512) in the HTTP /sessions/:sessionKey/kill route, allowing any authenticated user to terminate arbitrary subagent sessions.","title":"OpenClaw Improper Access Control Vulnerability (CVE-2026-34512)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-access-control-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-35455"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["immich","xss","cve-2026-35455","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eImmich, a self-hosted photo and video management solution, is vulnerable to a stored Cross-Site Scripting (XSS) attack.  Specifically, versions prior to 2.7.0 are susceptible. An authenticated attacker can exploit the 360° panorama viewer by uploading a specially crafted equirectangular image that contains malicious text. When another user views the panorama with the OCR overlay enabled, the injected text is extracted via OCR and rendered by the panorama viewer without sanitization. This leads to arbitrary JavaScript execution within the victim\u0026rsquo;s browser. The vulnerability, identified as CVE-2026-35455, poses a significant risk, potentially leading to session hijacking (via persistent API key creation), private photo exfiltration, and unauthorized access to sensitive data like GPS location history and face biometric data. Users are advised to upgrade to version 2.7.0 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to an Immich instance with a valid user account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an equirectangular image containing malicious JavaScript code embedded within the text.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted image to the Immich server through the web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker shares or otherwise causes another user to view the uploaded panorama image.\u003c/li\u003e\n\u003cli\u003eThe victim views the panorama image with the OCR overlay feature enabled.\u003c/li\u003e\n\u003cli\u003eThe Immich server processes the image, and the OCR engine extracts the malicious JavaScript from the image.\u003c/li\u003e\n\u003cli\u003eThe panorama viewer renders the OCR output via \u003ccode\u003einnerHTML\u003c/code\u003e without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript executes within the victim\u0026rsquo;s browser session, allowing the attacker to perform actions such as session hijacking, data exfiltration, or unauthorized data access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability (CVE-2026-35455) in Immich can lead to severe consequences. An attacker can hijack user sessions by creating persistent API keys, allowing them to impersonate the victim. Furthermore, they can exfiltrate private photos and gain unauthorized access to sensitive information such as GPS location history and face biometric data stored within the Immich instance. The number of potential victims corresponds to the number of users on a vulnerable Immich instance. Given the self-hosted nature of Immich, the impact is largely dependent on the type and sensitivity of data stored within affected deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Immich to version 2.7.0 or later to patch the CVE-2026-35455 vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for user-uploaded content, particularly images, to prevent XSS attacks. Focus on \u003ccode\u003ewebserver\u003c/code\u003e logs for unusual POST requests.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Immich Panorama Requests\u003c/code\u003e to identify potential exploitation attempts based on unusual URL parameters indicative of crafted panorama requests.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003ewebserver\u003c/code\u003e logs for HTTP requests containing suspicious JavaScript payloads within the URL, which may indicate XSS attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T19:25:24Z","date_published":"2026-04-08T19:25:24Z","id":"/briefs/2024-01-immich-xss/","summary":"A stored cross-site scripting (XSS) vulnerability in Immich versions before 2.7.0 allows authenticated users to inject arbitrary JavaScript via crafted equirectangular images, leading to session hijacking, data exfiltration, and unauthorized access.","title":"Immich Stored XSS Vulnerability in 360° Panorama Viewer (CVE-2026-35455)","url":"https://feed.craftedsignal.io/briefs/2024-01-immich-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35164"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-35164","rce","file-upload","brave-cms","ckeditor","php","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBrave CMS, an open-source content management system, is vulnerable to an unrestricted file upload vulnerability (CVE-2026-35164) in versions prior to 2.0.6. The vulnerability resides within the CKEditor upload functionality, specifically in the \u003ccode\u003eckupload\u003c/code\u003e method located in \u003ccode\u003eapp/Http/Controllers/Dashboard/CkEditorController.php\u003c/code\u003e. The application fails to properly validate the types of uploaded files, relying solely on user-provided input. This lack of validation enables an authenticated user to upload malicious PHP scripts, leading to arbitrary code execution on the server. The vulnerability was reported on April 6, 2026, and is fixed in Brave CMS version 2.0.6. Organizations using affected versions of Brave CMS are at risk of complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Brave CMS application as a user with upload privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a page or functionality within the CMS that utilizes the CKEditor for content creation or editing.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the CKEditor\u0026rsquo;s upload functionality to upload a malicious PHP script disguised as a legitimate file type (e.g., image).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eckupload\u003c/code\u003e method in \u003ccode\u003eapp/Http/Controllers/Dashboard/CkEditorController.php\u003c/code\u003e processes the uploaded file without proper validation of the file type or content.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP script is stored on the server in a publicly accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to directly access the uploaded PHP script via its URL.\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP script, granting the attacker the ability to run arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence, installs a web shell, and performs lateral movement within the network, escalating privileges as needed to achieve their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary PHP code on the affected Brave CMS server. This can lead to complete compromise of the CMS instance, including unauthorized access to sensitive data, modification of website content, and potential lateral movement to other systems on the network. The CVSS v3.1 base score for this vulnerability is 8.8, indicating a high severity level. Organizations running vulnerable versions of Brave CMS are at risk of data breaches, website defacement, and further exploitation of their infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Brave CMS to version 2.0.6 or later to remediate the unrestricted file upload vulnerability (CVE-2026-35164).\u003c/li\u003e\n\u003cli\u003eImplement server-side file validation to prevent the upload of malicious files, regardless of file extension.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to file uploads and execution of PHP scripts.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect attempts to access potentially malicious PHP files in the web server\u0026rsquo;s upload directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T18:16:42Z","date_published":"2026-04-06T18:16:42Z","id":"/briefs/2026-04-brave-cms-rce/","summary":"Brave CMS versions prior to 2.0.6 contain an unrestricted file upload vulnerability within the CKEditor upload functionality in the ckupload method, allowing authenticated users to upload executable PHP scripts and achieve Remote Code Execution.","title":"Brave CMS Unrestricted File Upload Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-brave-cms-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-34402"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqlinjection","cve-2026-34402","churchcrm","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChurchCRM is an open-source church management system. Prior to version 7.1.0, the application suffers from a time-based blind SQL injection vulnerability (CVE-2026-34402). Authenticated users with either \u0026ldquo;Edit Records\u0026rdquo; or \u0026ldquo;Manage Groups\u0026rdquo; permissions can exploit this flaw. Successful exploitation allows attackers to exfiltrate or modify any database content, which could include user credentials, personally identifiable information (PII), and configuration secrets. The vulnerable endpoint is \u003ccode\u003ePropertyAssign.php\u003c/code\u003e. This vulnerability was addressed and fixed in version 7.1.0 of ChurchCRM. Defenders should prioritize patching vulnerable instances to prevent unauthorized access and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials for ChurchCRM, with \u0026ldquo;Edit Records\u0026rdquo; or \u0026ldquo;Manage Groups\u0026rdquo; permissions. This could be achieved through credential stuffing, password reuse, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003ePropertyAssign.php\u003c/code\u003e endpoint. This request contains a SQL injection payload within a parameter processed by the application.\u003c/li\u003e\n\u003cli\u003eThe application processes the malicious SQL query, injecting it into the database query without proper sanitization.\u003c/li\u003e\n\u003cli\u003eDue to the blind nature of the SQL injection, the attacker uses time-based techniques (e.g., \u003ccode\u003eSLEEP()\u003c/code\u003e) to infer information about the database structure and content.\u003c/li\u003e\n\u003cli\u003eThe attacker iterates through various SQL injection payloads, slowly extracting sensitive data such as usernames, password hashes, and other PII.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify database records to escalate privileges, create new administrative accounts, or sabotage the application\u0026rsquo;s functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen data.\u003c/li\u003e\n\u003cli\u003eThe final objective is to compromise the confidentiality, integrity, and availability of the ChurchCRM database, potentially leading to significant data breaches and reputational damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34402 can have serious consequences. An attacker can gain unauthorized access to sensitive data stored within the ChurchCRM database. This includes user credentials, PII, and configuration secrets. The attacker can also modify database records, potentially disrupting church operations or causing financial harm. Given the sensitive nature of the data often stored in church management systems, the impact of this vulnerability could be substantial. The vulnerability affects ChurchCRM installations prior to version 7.1.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ChurchCRM installations to version 7.1.0 or later to remediate CVE-2026-34402.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting requests to PropertyAssign.php with sleep commands to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003ePropertyAssign.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block SQL injection attempts.\u003c/li\u003e\n\u003cli\u003eReview user access controls within ChurchCRM to ensure that only authorized personnel have \u0026ldquo;Edit Records\u0026rdquo; or \u0026ldquo;Manage Groups\u0026rdquo; permissions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:16:35Z","date_published":"2026-04-06T16:16:35Z","id":"/briefs/2026-04-churchcrm-sql-injection/","summary":"CVE-2026-34402 is a time-based blind SQL injection vulnerability in ChurchCRM versions prior to 7.1.0. Authenticated users with Edit Records or Manage Groups permissions can exploit the PropertyAssign.php endpoint to exfiltrate or modify database content, including user credentials, PII, and configuration secrets.","title":"ChurchCRM Time-Based Blind SQL Injection Vulnerability (CVE-2026-34402)","url":"https://feed.craftedsignal.io/briefs/2026-04-churchcrm-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2019-25668"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2019-25668","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eNews Website Script version 2.0.5 is susceptible to SQL injection, as identified by CVE-2019-25668. This vulnerability allows unauthenticated remote attackers to manipulate database queries by injecting malicious SQL code via the \u0026rsquo;news ID\u0026rsquo; parameter. Successful exploitation grants attackers the ability to extract sensitive information directly from the application database. The vulnerability lies within the index.php/show/news/ endpoint and can be exploited via simple HTTP GET requests, making it easily accessible. The risk to organizations using this vulnerable software is significant, potentially leading to data breaches and unauthorized access to confidential information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable instance of News Website Script 2.0.5.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/index.php/show/news/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted GET request includes a \u003ccode\u003enews\u003c/code\u003e parameter containing a SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe web server receives the malicious request and passes the SQL injection payload to the application\u0026rsquo;s database query.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL code without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive data from the database, such as user credentials, financial information, or proprietary data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the extracted information to further compromise the system or network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2019-25668) can lead to the complete compromise of the affected News Website Script 2.0.5 database. The impact includes unauthorized access to sensitive data, potential data breaches, and the ability for attackers to modify or delete data. The number of potential victims is dependent on the install base of the vulnerable software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a secure version of News Website Script to remediate CVE-2019-25668.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to detect exploitation attempts targeting the vulnerable endpoint \u003ccode\u003eindex.php/show/news/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all user-supplied input to prevent SQL injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T21:16:44Z","date_published":"2026-04-05T21:16:44Z","id":"/briefs/2026-04-news-website-sqli/","summary":"News Website Script 2.0.5 contains an SQL injection vulnerability (CVE-2019-25668) allowing unauthenticated attackers to extract sensitive information by injecting SQL code through the news ID parameter in GET requests.","title":"News Website Script 2.0.5 SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-news-website-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5570"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve","authentication-bypass","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-5570, exists in Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30. This vulnerability resides within the \u003ccode\u003eindex_config\u003c/code\u003e function of the \u003ccode\u003e/LoginCB\u003c/code\u003e file. Successful exploitation allows remote attackers to bypass authentication mechanisms. Publicly available exploit code exists, increasing the risk of widespread exploitation. The vendor was notified but did not respond. Given the lack of vendor response and the existence of a public exploit, organizations using affected Technostrobe devices should immediately assess their exposure and implement mitigation measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Technostrobe HI-LED-WR120-G2 device running firmware version 5.5.0.1R6.03.30 accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/LoginCB\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request exploits the improper authentication flaw in the \u003ccode\u003eindex_config\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable function fails to properly validate the attacker\u0026rsquo;s identity due to the flaw.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to administrative functionalities.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies device configurations, potentially disrupting operations or gaining further control.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gained access to access internal network resources.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised device as a foothold for lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5570 allows attackers to bypass authentication on affected Technostrobe HI-LED-WR120-G2 devices. This could lead to unauthorized access to sensitive configurations, disruption of lighting systems, and potential use of the compromised device as a pivot point for further attacks within the network. The lack of vendor response to the vulnerability exacerbates the risk, as no official patch is available.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u003ccode\u003e/LoginCB\u003c/code\u003e endpoint, specifically those attempting to manipulate the \u003ccode\u003eindex_config\u003c/code\u003e function, to detect potential exploitation attempts related to CVE-2026-5570.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect unauthorized access attempts via the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised Technostrobe device on other network resources.\u003c/li\u003e\n\u003cli\u003eConsider placing the affected Technostrobe device behind a reverse proxy with strict access controls and input validation rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T14:16:17Z","date_published":"2026-04-05T14:16:17Z","id":"/briefs/2026-04-technostrobe-auth-bypass/","summary":"CVE-2026-5570 is an improper authentication vulnerability in the index_config function of the /LoginCB file of Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30, allowing remote attackers to bypass authentication.","title":"Technostrobe HI-LED-WR120-G2 Improper Authentication Vulnerability (CVE-2026-5570)","url":"https://feed.craftedsignal.io/briefs/2026-04-technostrobe-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5567"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5567","buffer-overflow","tenda","router","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability has been identified in Tenda M3 router version 1.0.0.10. The vulnerability resides in the \u003ccode\u003esetAdvPolicyData\u003c/code\u003e function within the \u003ccode\u003e/goform/setAdvPolicyData\u003c/code\u003e file, a part of the Destination Handler component. By manipulating the \u003ccode\u003epolicyType\u003c/code\u003e argument, a remote attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat to organizations utilizing the affected Tenda M3 router, potentially allowing attackers to gain unauthorized access to the network or disrupt services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Tenda M3 router exposed to the internet or reachable from their network position.\u003c/li\u003e\n\u003cli\u003eAttacker sends a crafted HTTP POST request to \u003ccode\u003e/goform/setAdvPolicyData\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a malicious \u003ccode\u003epolicyType\u003c/code\u003e argument designed to overflow the buffer in the \u003ccode\u003esetAdvPolicyData\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esetAdvPolicyData\u003c/code\u003e function in \u003ccode\u003e/goform/setAdvPolicyData\u003c/code\u003e processes the \u003ccode\u003epolicyType\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe excessive data provided in the \u003ccode\u003epolicyType\u003c/code\u003e argument overwrites adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow to overwrite critical data or inject malicious code into the process\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed, giving the attacker control over the router.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the compromised router as a foothold to pivot to other devices on the network, exfiltrate sensitive data, or cause denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the Tenda M3 router. This could lead to a complete compromise of the device, allowing the attacker to control network traffic, access sensitive information, or use the router as a launchpad for further attacks within the network. Given the severity and the existence of public exploits, vulnerable routers are at high risk of being targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available firmware updates from Tenda to patch CVE-2026-5567.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/setAdvPolicyData\u003c/code\u003e with unusually long \u003ccode\u003epolicyType\u003c/code\u003e arguments; deploy the Sigma rule \u003ccode\u003eDetect Suspicious PolicyType Argument Length\u003c/code\u003e to identify this activity.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a compromised router.\u003c/li\u003e\n\u003cli\u003eConsider using a web application firewall (WAF) to filter malicious requests targeting the affected endpoint.\u003c/li\u003e\n\u003cli\u003eReview and restrict access to the router\u0026rsquo;s management interface to authorized personnel only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T13:17:14Z","date_published":"2026-04-05T13:17:14Z","id":"/briefs/2026-04-tenda-m3-overflow/","summary":"A buffer overflow vulnerability exists in Tenda M3 1.0.0.10 via manipulation of the policyType argument in the setAdvPolicyData function, allowing remote attackers to execute arbitrary code.","title":"Tenda M3 Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-m3-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33509"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["pyLoad","rce","pickle","deserialization","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003epyLoad, a download manager, is susceptible to arbitrary code execution due to an insecure configuration option related to the storage folder. This vulnerability arises from the incomplete fix for CVE-2026-33509. Specifically, the \u003ccode\u003estorage_folder\u003c/code\u003e option is not included in the \u003ccode\u003eADMIN_ONLY_OPTIONS\u003c/code\u003e set, which allows users with \u003ccode\u003eSETTINGS\u003c/code\u003e and \u003ccode\u003eADD\u003c/code\u003e permissions to modify it. By redirecting downloads to the Flask filesystem session store, an attacker can plant a malicious pickle payload as a predictable session file. Subsequently, any HTTP request containing the corresponding crafted session cookie will trigger the deserialization of the payload, resulting in arbitrary code execution. This issue affects pyLoad versions up to and including 0.5.0b3. The observed exploitation involves manipulating the download directory to write malicious files into the Flask session store, ultimately leading to code execution on the host.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains a non-admin user account with both \u003ccode\u003eSETTINGS\u003c/code\u003e and \u003ccode\u003eADD\u003c/code\u003e permissions in pyLoad.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003e/api/set_config_value\u003c/code\u003e endpoint to modify the \u003ccode\u003estorage_folder\u003c/code\u003e option, setting its value to the Flask session store directory: \u003ccode\u003e/tmp/pyLoad/flask\u003c/code\u003e. This bypasses existing path restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker calculates the target session filename by computing the MD5 hash of the string \u0026ldquo;session:ATTACKER_SESSION_ID\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker hosts a malicious pickle payload (e.g., \u003ccode\u003e92912f771df217fb6fbfded6705dd47c\u003c/code\u003e) on a remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003e/api/add_package\u003c/code\u003e endpoint to add a download package. The download link points to the hosted malicious pickle payload on the attacker\u0026rsquo;s server: \u003ccode\u003ehttp://attacker.com/92912f771df217fb6fbfded6705dd47c\u003c/code\u003e. The \u003ccode\u003edest\u003c/code\u003e parameter specifies where to store the downloaded file.\u003c/li\u003e\n\u003cli\u003epyLoad downloads the malicious pickle payload and saves it to the Flask session store directory, naming it according to the MD5 hash calculated earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request to the pyLoad server, including a cookie named \u003ccode\u003epyload_session_{port}\u003c/code\u003e with the value \u003ccode\u003eATTACKER_SESSION_ID\u003c/code\u003e.  The port number is derived from the pyLoad configuration.\u003c/li\u003e\n\u003cli\u003eUpon receiving the request with the crafted cookie, Flask attempts to load the session data from the corresponding file. The \u003ccode\u003ecachelib\u003c/code\u003e library deserializes the malicious pickle payload using \u003ccode\u003epickle.load()\u003c/code\u003e, triggering arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows a non-admin user with SETTINGS and ADD permissions to achieve arbitrary code execution as the pyload service user. This grants the attacker the ability to execute arbitrary commands, read environment variables (potentially exposing API keys and credentials), access the filesystem (including download history and user databases), and potentially pivot to other network resources. The vulnerability requires no authentication to trigger the final stage of exploitation, increasing its severity and potential impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect attempts to modify the \u003ccode\u003estorage_folder\u003c/code\u003e configuration option to point to the Flask session directory (\u003ccode\u003e/tmp/pyLoad/flask\u003c/code\u003e): \u003ccode\u003eSuspicious pyLoad Storage Folder Modification\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eApply the suggested fix by adding \u003ccode\u003estorage_folder\u003c/code\u003e to the \u003ccode\u003eADMIN_ONLY_OPTIONS\u003c/code\u003e set in the pyLoad configuration to prevent non-admin users from modifying it.\u003c/li\u003e\n\u003cli\u003eBlock the malicious URLs used to deliver the pickle payload, specifically \u003ccode\u003ehttp://attacker.com/92912f771df217fb6fbfded6705dd47c\u003c/code\u003e, at your network perimeter.\u003c/li\u003e\n\u003cli\u003eMonitor for HTTP requests containing the crafted session cookie (\u003ccode\u003epyload_session_{port}=ATTACKER_SESSION_ID\u003c/code\u003e), using a webserver or proxy log source, as it triggers the final stage of the attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T06:43:37Z","date_published":"2026-04-04T06:43:37Z","id":"/briefs/2026-04-pyload-rce/","summary":"pyLoad is vulnerable to arbitrary code execution via an unprotected `storage_folder` configuration option, allowing an attacker with `SETTINGS` and `ADD` permissions to write a malicious pickle payload to the Flask session store and execute arbitrary code upon subsequent HTTP requests.","title":"pyLoad Arbitrary Code Execution via Malicious Session Deserialization","url":"https://feed.craftedsignal.io/briefs/2026-04-pyload-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-34840"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-34840","saml","authentication-bypass","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOneUptime, an open-source monitoring and observability platform, is vulnerable to an authentication bypass in versions prior to 10.0.42. The vulnerability, identified as CVE-2026-34840, resides in the SAML Single Sign-On (SSO) implementation within the \u003ccode\u003eApp/FeatureSet/Identity/Utils/SSO.ts\u003c/code\u003e file. The flawed logic involves a decoupling of signature verification and identity extraction processes. Specifically, the \u003ccode\u003eisSignatureValid()\u003c/code\u003e function checks the signature of the first \u003ccode\u003e\u0026lt;Signature\u0026gt;\u003c/code\u003e element, while the \u003ccode\u003egetEmail()\u003c/code\u003e function extracts the email address from the first assertion element \u003ccode\u003eassertion[0]\u003c/code\u003e. This design allows an attacker to prepend a malicious, unsigned SAML assertion containing an arbitrary identity before a legitimate, signed assertion. This bypasses authentication, potentially granting unauthorized access to sensitive monitoring data and platform functionalities. The vulnerability has been patched in version 10.0.42.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious SAML response containing an unsigned assertion with a forged identity (e.g., a privileged user\u0026rsquo;s email).\u003c/li\u003e\n\u003cli\u003eThe attacker prepends this malicious assertion to a valid, signed SAML assertion generated for a low-privilege account or a newly created account.\u003c/li\u003e\n\u003cli\u003eThe combined SAML response is sent to the OneUptime platform for authentication.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eisSignatureValid()\u003c/code\u003e function verifies the signature of the second assertion (the originally signed, valid one), passing the signature check.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egetEmail()\u003c/code\u003e function extracts the email address from the first assertion (the malicious, unsigned one), effectively impersonating the forged identity.\u003c/li\u003e\n\u003cli\u003eOneUptime grants access based on the forged identity extracted from the malicious assertion.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the OneUptime platform with the privileges of the impersonated user.\u003c/li\u003e\n\u003cli\u003eThe attacker can then view monitoring data, modify configurations, or perform other actions allowed to the compromised account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34840 allows an attacker to bypass authentication and impersonate any user on the OneUptime platform. This could lead to unauthorized access to sensitive monitoring data, modification of system configurations, and potentially complete compromise of the OneUptime instance. The vulnerability has a CVSS v3.1 base score of 8.1, indicating a high severity. Organizations using vulnerable OneUptime versions are at risk of significant data breaches and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade OneUptime instances to version 10.0.42 or later to patch CVE-2026-34840.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to inspect SAML responses for multiple assertions and reject requests containing more than one assertion to prevent the attack described in the attack chain.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious SAML authentication requests and responses, focusing on unusual source IPs or deviations from normal authentication patterns related to the webserver log source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T20:16:28Z","date_published":"2026-04-02T20:16:28Z","id":"/briefs/2024-01-oneuptime-auth-bypass/","summary":"OneUptime versions prior to 10.0.42 are vulnerable to an authentication bypass due to improper SAML signature validation, allowing attackers to impersonate users by prepending unsigned assertions.","title":"OneUptime SAML SSO Authentication Bypass Vulnerability (CVE-2026-34840)","url":"https://feed.craftedsignal.io/briefs/2024-01-oneuptime-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-34785"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["rack","information-disclosure","CVE-2026-34785","ruby","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRack, a modular Ruby web server interface, is susceptible to an information disclosure vulnerability in versions prior to 2.2.23, 3.1.21, and 3.2.6. The flaw resides in the Rack::Static middleware component, which uses a simple string prefix check to determine if a request should be served as a static file. When configured with URL prefixes, such as \u0026ldquo;/css\u0026rdquo;, Rack::Static incorrectly matches any request path starting with \u0026ldquo;/css\u0026rdquo;, potentially serving unintended files like \u0026ldquo;/css-config.env\u0026rdquo; or \u0026ldquo;/css-backup.sql\u0026rdquo;. This allows unauthorized access to sensitive files located under the static root directory. This vulnerability, identified as CVE-2026-34785, can lead to the disclosure of configuration files, database backups, and other sensitive information. The vulnerability has been patched in Rack versions 2.2.23, 3.1.21, and 3.2.6.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Rack-based web application using a vulnerable version of Rack (prior to 2.2.23, 3.1.21, or 3.2.6).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a static file directory configured in the Rack application, for example using a path prefix like \u0026ldquo;/css\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting a sensitive file within the static directory, such as \u0026ldquo;/css-config.env\u0026rdquo; or \u0026ldquo;/css-backup.sql\u0026rdquo;, that shares the configured prefix but is not intended to be served publicly.\u003c/li\u003e\n\u003cli\u003eThe Rack::Static middleware incorrectly matches the malicious request due to the simple string prefix check.\u003c/li\u003e\n\u003cli\u003eThe web server serves the unintended file to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information contained in the served file.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the disclosed information to further compromise the application or infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-34785) can lead to the disclosure of sensitive information, including configuration files, database backups, and other critical data. The impact severity is dependent on the nature of the exposed files. For example, exposure of database credentials could result in a full compromise of the application\u0026rsquo;s data. Organizations using vulnerable Rack versions are susceptible to information breaches if they rely on Rack::Static to serve files.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Rack to version 2.2.23, 3.1.21, or 3.2.6 or later to patch CVE-2026-34785.\u003c/li\u003e\n\u003cli\u003eReview Rack::Static configurations to ensure appropriate restrictions are in place for serving static files.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Rack Static File Access\u0026rdquo; to identify attempts to access files with similar prefixes.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category: webserver) for unusual requests with file extensions such as \u003ccode\u003e.env\u003c/code\u003e, \u003ccode\u003e.sql\u003c/code\u003e, \u003ccode\u003e.bak\u003c/code\u003e that fall under static directories (e.g., /css, /js, /img).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T17:16:24Z","date_published":"2026-04-02T17:16:24Z","id":"/briefs/2026-04-rack-static-disclosure/","summary":"Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 are vulnerable to information disclosure due to improper static file serving via a prefix matching issue in Rack::Static.","title":"Rack::Static Information Disclosure Vulnerability (CVE-2026-34785)","url":"https://feed.craftedsignal.io/briefs/2026-04-rack-static-disclosure/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-20160"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-20160","cisco","ssm-on-prem","rce","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-20160 affects Cisco Smart Software Manager On-Prem (SSM On-Prem). The vulnerability allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SSM On-Prem host. This is due to the unintentional exposure of an internal service. The vulnerability was reported in April 2026. Successful exploitation allows for command execution with root-level privileges, making it a critical risk for organizations using the affected Cisco SSM On-Prem software. Defenders should apply available patches or mitigations immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an internet-facing Cisco Smart Software Manager On-Prem (SSM On-Prem) instance.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers the unintentionally exposed internal service through reconnaissance techniques such as port scanning and service enumeration.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request specifically designed to exploit the exposed API endpoint of the internal service.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted request to the vulnerable API endpoint of the exposed service.\u003c/li\u003e\n\u003cli\u003eThe vulnerable SSM On-Prem software processes the malicious request without proper authentication or authorization checks.\u003c/li\u003e\n\u003cli\u003eThe software executes arbitrary commands on the underlying operating system due to the exposed API.\u003c/li\u003e\n\u003cli\u003eThe attacker gains root-level privileges on the SSM On-Prem host, allowing for full control of the system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform further malicious activities, such as data exfiltration, lateral movement, or installation of persistent backdoors.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20160 allows an attacker to execute arbitrary commands on the underlying operating system with root-level privileges. This could lead to complete compromise of the affected SSM On-Prem host. The attacker could exfiltrate sensitive data, disrupt services, or use the compromised system as a launchpad for further attacks within the network. Given the critical nature of software license management performed by SSM On-Prem, a successful attack could have significant operational and financial consequences.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch released by Cisco to address CVE-2026-20160 on all affected Cisco Smart Software Manager On-Prem (SSM On-Prem) instances.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual API requests targeting Cisco Smart Software Manager On-Prem instances to detect potential exploitation attempts, using the \u0026ldquo;Detect Cisco SSM On-Prem API Exploitation Attempt\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the exposure of internal services and prevent unauthorized access from external networks.\u003c/li\u003e\n\u003cli\u003eReview access controls and authentication mechanisms for all internal services to ensure proper security configurations and prevent unintentional exposure.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Cisco SSM On-Prem Root Command Execution\u0026rdquo; Sigma rule to detect suspicious process execution originating from the SSM On-Prem server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T17:28:31Z","date_published":"2026-04-01T17:28:31Z","id":"/briefs/2024-02-cisco-ssm-rce/","summary":"CVE-2026-20160 is a critical vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) that allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system with root privileges by sending a crafted request to an exposed API.","title":"Cisco Smart Software Manager On-Prem RCE via Exposed API (CVE-2026-20160)","url":"https://feed.craftedsignal.io/briefs/2024-02-cisco-ssm-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["http/2","denial-of-service","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists in multiple HTTP/2 implementations that can be exploited by an unauthenticated, remote attacker to conduct a denial-of-service (DoS) attack. The specific details of the vulnerability aren\u0026rsquo;t disclosed in this brief, but the generic nature of the vulnerability means a wide array of servers are possibly vulnerable. Defenders need to focus on detecting anomalous HTTP/2 traffic patterns, given the lack of a specific CVE or patch information in the original source.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker establishes an HTTP/2 connection with a vulnerable server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a series of specially crafted HTTP/2 requests. Due to the vulnerability, these requests consume excessive server resources.\u003c/li\u003e\n\u003cli\u003eThe server begins to experience performance degradation due to resource exhaustion (CPU, memory, or network bandwidth).\u003c/li\u003e\n\u003cli\u003eLegitimate user requests are delayed or dropped as the server struggles to process the malicious traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker continues to send malicious HTTP/2 requests, sustaining the resource exhaustion.\u003c/li\u003e\n\u003cli\u003eThe server becomes unresponsive, resulting in a denial-of-service condition for legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition, rendering affected servers and services unavailable. The number of potential victims is broad, encompassing any system utilizing a vulnerable HTTP/2 implementation. The impact ranges from temporary service outages to prolonged periods of unavailability, causing business disruption and potential financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for anomalous HTTP/2 traffic patterns, specifically focusing on request rates and resource consumption (CPU, memory, network) using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting for HTTP/2 connections to mitigate the impact of excessive requests.\u003c/li\u003e\n\u003cli\u003eConsider deploying a Web Application Firewall (WAF) to inspect and filter HTTP/2 traffic for known malicious patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T09:21:36Z","date_published":"2026-04-01T09:21:36Z","id":"/briefs/2026-04-http2-dos/","summary":"A remote, anonymous attacker can exploit a vulnerability in various HTTP/2 implementations to perform a denial-of-service attack.","title":"HTTP/2 Implementations Vulnerability Enables Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-04-http2-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["django","sql-injection","information-disclosure","denial-of-service","web-application","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in the Django web framework that could allow a remote, authenticated attacker to perform SQL injection attacks, disclose sensitive information, or cause a denial-of-service (DoS) condition. This vulnerability impacts Django-based applications, potentially exposing sensitive data and disrupting services. Defenders need to prioritize detection and mitigation strategies to prevent exploitation of these weaknesses. Specific Django versions affected are not detailed in the source, requiring a broad approach to detection across Django deployments. The lack of specific CVEs makes targeted patching difficult, emphasizing the importance of proactive monitoring for exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials to a Django-based web application through credential stuffing or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies input fields within the application that are vulnerable to SQL injection, such as search boxes or form fields that directly interact with the database.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious SQL queries using techniques like SQL injection within these vulnerable input fields.\u003c/li\u003e\n\u003cli\u003eThe Django application, without proper input sanitization, executes the attacker-controlled SQL query against the underlying database.\u003c/li\u003e\n\u003cli\u003eDepending on the specific vulnerability and database permissions, the attacker may extract sensitive data, such as user credentials, financial information, or internal application data.\u003c/li\u003e\n\u003cli\u003eThe attacker may also modify database records to escalate privileges or manipulate application behavior.\u003c/li\u003e\n\u003cli\u003eBy exploiting vulnerabilities that cause excessive resource consumption, the attacker can trigger a denial-of-service condition, rendering the application unavailable to legitimate users.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the gathered information or uses the compromised application for further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these Django vulnerabilities can lead to significant data breaches, compromising sensitive user data and intellectual property. Affected organizations could face financial losses due to regulatory fines, legal liabilities, and reputational damage. A denial-of-service condition can disrupt business operations and damage customer trust. The number of affected organizations is potentially large, given the widespread use of the Django framework in web application development.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential SQL injection attempts targeting Django applications, focusing on \u003ccode\u003ewebserver\u003c/code\u003e logs and HTTP request parameters.\u003c/li\u003e\n\u003cli\u003eImplement strong input validation and sanitization measures within Django applications to prevent SQL injection vulnerabilities (reference: overview).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity patterns, such as large numbers of requests from a single IP address, which could indicate a denial-of-service attack (reference: attack chain step 7).\u003c/li\u003e\n\u003cli\u003eRegularly audit Django applications for security vulnerabilities and apply necessary patches and updates (reference: overview).\u003c/li\u003e\n\u003cli\u003eConsider using a web application firewall (WAF) to filter out malicious requests and protect against common web application attacks (reference: overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T09:20:35Z","date_published":"2026-04-01T09:20:35Z","id":"/briefs/2026-04-django-vulns/","summary":"A remote, authenticated attacker can exploit multiple vulnerabilities in Django to perform SQL injections, disclose confidential information, or cause a denial-of-service condition.","title":"Django Multiple Vulnerabilities Leading to SQL Injection, Information Disclosure, and DoS","url":"https://feed.craftedsignal.io/briefs/2026-04-django-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-21861"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-21861","command-injection","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ebaserCMS, a website development framework, is susceptible to an OS command injection vulnerability (CVE-2026-21861) in versions prior to 5.2.3. This flaw resides within the core update functionality, where user-controlled input is directly passed to the \u003ccode\u003eexec()\u003c/code\u003e function without proper sanitization or validation. A successful exploit allows an authenticated administrator to execute arbitrary operating system commands on the underlying server. The vulnerability was reported on March 30, 2026…\u003c/p\u003e\n","date_modified":"2026-03-31T01:19:59Z","date_published":"2026-03-31T01:19:59Z","id":"/briefs/2026-04-basercms-command-injection/","summary":"baserCMS versions prior to 5.2.3 are vulnerable to OS command injection, allowing an authenticated administrator to execute arbitrary commands on the server via maliciously crafted input to the core update functionality.","title":"baserCMS OS Command Injection Vulnerability (CVE-2026-21861)","url":"https://feed.craftedsignal.io/briefs/2026-04-basercms-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-30877"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["basercms","command-injection","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ebaserCMS is a website development framework. Prior to version 5.2.3, a critical OS command injection vulnerability exists within the update functionality. This flaw allows an attacker, authenticated as an administrator, to inject and execute arbitrary operating system commands on the server hosting baserCMS. The commands are executed with the privileges of the user account running the baserCMS application, potentially leading to complete system compromise. This vulnerability was reported on…\u003c/p\u003e\n","date_modified":"2026-03-31T01:16:35Z","date_published":"2026-03-31T01:16:35Z","id":"/briefs/2026-03-basercms-cmd-injection/","summary":"baserCMS prior to version 5.2.3 contains an OS command injection vulnerability in the update functionality, allowing authenticated administrators to execute arbitrary OS commands on the server.","title":"baserCMS OS Command Injection Vulnerability (CVE-2026-30877)","url":"https://feed.craftedsignal.io/briefs/2026-03-basercms-cmd-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2025-32957"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["basercms","rce","cve-2025-32957","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ebaserCMS, a website development framework, contains an arbitrary code execution vulnerability in versions prior to 5.2.3. The vulnerability, identified as CVE-2025-32957, lies within the application\u0026rsquo;s restore function. This function allows users, including potentially unauthenticated users depending on configuration, to upload a .zip file. The uploaded archive is automatically extracted by the application. A PHP file within the extracted archive is then included using \u003ccode\u003erequire_once\u003c/code\u003e without…\u003c/p\u003e\n","date_modified":"2026-03-31T01:16:34Z","date_published":"2026-03-31T01:16:34Z","id":"/briefs/2026-03-basercms-rce/","summary":"baserCMS versions prior to 5.2.3 are vulnerable to arbitrary code execution via a crafted zip file upload through the restore function, leading to unauthenticated remote command execution on the webserver.","title":"baserCMS Pre-Auth Arbitrary Code Execution via Zip Upload (CVE-2025-32957)","url":"https://feed.craftedsignal.io/briefs/2026-03-basercms-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["nginx","vulnerability","denial-of-service","code-execution","webserver","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in NGINX and NGINX Plus, potentially allowing attackers to perform a range of malicious activities. These include launching denial-of-service (DoS) attacks to disrupt service availability, manipulating sensitive data, bypassing existing security measures, and, in the worst-case scenario, achieving arbitrary code execution on the affected system. Defenders should be aware that although no specific CVEs or attack campaigns are mentioned, the broad range of potential impacts makes patching and detection critical. The scope of these vulnerabilities extends to any organization utilizing NGINX or NGINX Plus as part of their infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eSince the specific vulnerabilities are not detailed, the following attack chain represents a generalized exploitation scenario:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Discovery:\u003c/strong\u003e The attacker identifies a vulnerable version of NGINX or NGINX Plus through reconnaissance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploit Development/Acquisition:\u003c/strong\u003e The attacker develops a custom exploit or obtains one from public or private sources targeting the identified vulnerability (e.g., buffer overflow, integer overflow, or configuration flaw).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTarget Selection:\u003c/strong\u003e The attacker identifies a vulnerable NGINX instance exposed to the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Exploitation:\u003c/strong\u003e The attacker sends a specially crafted request to the targeted NGINX server, triggering the vulnerability. This might involve manipulating HTTP headers, crafting specific URL parameters, or exploiting flaws in request handling.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (if needed):\u003c/strong\u003e Depending on the vulnerability, the attacker may need to escalate privileges to gain full control of the system. This could involve exploiting additional vulnerabilities or misconfigurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Manipulation/Security Bypass/DoS:\u003c/strong\u003e The attacker leverages the exploited vulnerability to manipulate data served by NGINX, bypass authentication or authorization mechanisms, or initiate a denial-of-service attack by consuming excessive resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Code Execution (Potential):\u003c/strong\u003e If the vulnerability allows, the attacker executes arbitrary code on the NGINX server, potentially installing malware, establishing persistence, or using the compromised server as a pivot point for further attacks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Exfiltration (Potential):\u003c/strong\u003e After gaining a foothold, the attacker may attempt to move laterally within the network, compromising other systems and exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to significant damage. A denial-of-service attack can disrupt critical services, causing financial losses and reputational damage. Data manipulation can compromise the integrity of information served by NGINX, leading to incorrect decisions or further attacks. Bypassing security measures can grant unauthorized access to sensitive resources. Arbitrary code execution allows the attacker to take complete control of the server, potentially leading to data theft, system compromise, and further attacks on internal infrastructure. The exact number of potential victims is unknown, but it could be extensive given the widespread use of NGINX and NGINX Plus.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NGINX and NGINX Plus to the latest patched versions to remediate known vulnerabilities.\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;Detect Suspicious Nginx Configuration Changes\u0026rdquo; Sigma rule to detect unauthorized modifications to the Nginx configuration.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Nginx DoS Attempts\u0026rdquo; Sigma rule to monitor for suspicious traffic patterns indicative of a denial-of-service attack against Nginx.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit exposure of NGINX servers to untrusted networks.\u003c/li\u003e\n\u003cli\u003eRegularly review NGINX configuration files for misconfigurations and security vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T10:14:08Z","date_published":"2026-03-30T10:14:08Z","id":"/briefs/2026-03-nginx-vulns/","summary":"Multiple vulnerabilities in NGINX Plus and NGINX can be exploited by an attacker to perform a denial of service attack, manipulate data, bypass security measures, and potentially execute arbitrary program code, leading to significant impact.","title":"Multiple Vulnerabilities in NGINX and NGINX Plus","url":"https://feed.craftedsignal.io/briefs/2026-03-nginx-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-2328 is a critical vulnerability that allows an unauthenticated remote attacker to perform path traversal attacks due to insufficient input validation. This flaw enables unauthorized access to backend components, potentially exposing sensitive information. The vulnerability was published on March 30, 2026, and assigned a CVSS v3.1 score of 7.5. The vulnerability stems from inadequate input sanitization, permitting attackers to manipulate file paths and access restricted areas of the…\u003c/p\u003e\n","date_modified":"2026-03-30T08:16:17Z","date_published":"2026-03-30T08:16:17Z","id":"/briefs/2026-03-path-traversal/","summary":"CVE-2026-2328 describes a vulnerability where an unauthenticated remote attacker can exploit insufficient input validation to access backend components beyond their intended scope via path traversal, leading to the exposure of sensitive information.","title":"CVE-2026-2328 Unauthenticated Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve","request-smuggling","undertow","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-28367 is a request smuggling vulnerability found in Undertow, a flexible performant server-side Java web server. The vulnerability arises from improper handling of HTTP header block terminators. Specifically, a remote attacker can send \u003ccode\u003e\\r\\r\\r\u003c/code\u003e as a header block terminator, which can be misinterpreted by certain proxy servers. This allows the attacker to potentially smuggle malicious requests, bypassing security controls and gaining unauthorized access to resources or manipulating…\u003c/p\u003e\n","date_modified":"2026-03-27T17:16:27Z","date_published":"2026-03-27T17:16:27Z","id":"/briefs/2026-03-undertow-smuggling/","summary":"A remote attacker can exploit CVE-2026-28367 in Undertow by sending '\\r\\r\\r' as a header block terminator, leading to request smuggling on vulnerable proxy servers.","title":"Undertow HTTP Request Smuggling Vulnerability (CVE-2026-28367)","url":"https://feed.craftedsignal.io/briefs/2026-03-undertow-smuggling/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-4910","sql-injection","streamax","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA SQL injection vulnerability, identified as CVE-2026-4910, affects Shenzhen Ruiming Technology Streamax Crocus bis version 1.3.44. The vulnerability is located within the \u003ccode\u003e/RemoteFormat.do\u003c/code\u003e file, specifically the \u003ccode\u003eEndpoint\u003c/code\u003e component. By manipulating the \u003ccode\u003eState\u003c/code\u003e argument, a remote attacker can inject arbitrary SQL commands. Publicly available exploits exist, increasing the risk of exploitation. The vendor was notified but did not respond. Successful exploitation could lead to unauthorized data…\u003c/p\u003e\n","date_modified":"2026-03-27T04:16:08Z","date_published":"2026-03-27T04:16:08Z","id":"/briefs/2026-03-streamax-sql-injection/","summary":"A SQL injection vulnerability (CVE-2026-4910) exists in Shenzhen Ruiming Technology Streamax Crocus bis 1.3.44 via the /RemoteFormat.do endpoint, allowing remote attackers to execute arbitrary SQL commands by manipulating the State argument.","title":"Shenzhen Ruiming Technology Streamax Crocus bis SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-streamax-sql-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["siyuan","arbitrary-document-access","vulnerability","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSiYuan, a note-taking application, is susceptible to an arbitrary document reading vulnerability within its publishing service. This flaw allows an unauthenticated attacker to bypass access controls and retrieve the content of any document, regardless of encryption or access restrictions. The vulnerability stems from inadequate authorization checks when accessing document content through specific API endpoints. The issue was reported on March 25, 2026, and is tracked as CVE-2026-33669. The vulnerable package is \u003ccode\u003ego/github.com/siyuan-note/siyuan/kernel\u003c/code\u003e, specifically versions equal to or older than \u003ccode\u003e0.0.0-20260317012524-fe4523fff2c8\u003c/code\u003e. This vulnerability poses a significant risk to organizations and individuals using SiYuan for sensitive data storage, potentially leading to unauthorized access and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a SiYuan instance with the publishing service enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the \u003ccode\u003e/api/file/readDir\u003c/code\u003e endpoint to retrieve a list of document IDs. This endpoint lacks proper authorization checks.\u003c/li\u003e\n\u003cli\u003eThe SiYuan server responds with a list of document IDs available within the publishing service.\u003c/li\u003e\n\u003cli\u003eThe attacker selects a target document ID from the list obtained in the previous step.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to the \u003ccode\u003e/api/block/getChildBlocks\u003c/code\u003e endpoint, providing the target document ID in the request body. This endpoint is intended to retrieve child blocks of a specific document.\u003c/li\u003e\n\u003cli\u003eDue to insufficient access control, the server processes the request and returns the content of the requested document, even if it is encrypted or restricted.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the JSON response to extract the document content, which is typically formatted in Markdown.\u003c/li\u003e\n\u003cli\u003eThe attacker can repeat steps 4-7 to obtain the content of other documents.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe arbitrary document reading vulnerability allows unauthorized access to potentially sensitive information stored within SiYuan. Successful exploitation could lead to the disclosure of confidential documents, intellectual property, personal data, or other restricted content. The impact is significant, as it bypasses intended security measures such as encryption and access controls. While specific victim numbers are unknown, any organization or individual utilizing the affected SiYuan version with the publishing service enabled is potentially at risk. The CVE is rated critical.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SiYuan to a patched version that addresses CVE-2026-33669.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;SiYuan Arbitrary Document Access via getChildBlocks\u0026rdquo; to detect potential exploitation attempts targeting the \u003ccode\u003e/api/block/getChildBlocks\u003c/code\u003e endpoint in your web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, specifically POST requests to \u003ccode\u003e/api/block/getChildBlocks\u003c/code\u003e with unusual document IDs or request patterns.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003e/api/file/readDir\u003c/code\u003e and \u003ccode\u003e/api/block/getChildBlocks\u003c/code\u003e endpoints to mitigate potential abuse.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging and ensure all SiYuan instances are monitored by the logging solution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T19:37:18Z","date_published":"2026-03-25T19:37:18Z","id":"/briefs/2026-06-siyuan-arbitrary-doc-read/","summary":"SiYuan is vulnerable to arbitrary document reading via the publishing service, allowing attackers to retrieve document IDs and view the content of all documents, including encrypted or prohibited ones, by exploiting the `/api/file/readDir` and `/api/block/getChildBlocks` interfaces.","title":"SiYuan Arbitrary Document Reading Vulnerability in Publishing Service","url":"https://feed.craftedsignal.io/briefs/2026-06-siyuan-arbitrary-doc-read/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["apache-cxf","denial-of-service","information-disclosure","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists in Apache CXF that could allow an anonymous, remote attacker to conduct a denial of service (DoS) attack and disclose sensitive information. The specific versions affected are not detailed in this advisory. The attacker exploits an unspecified weakness within Apache CXF\u0026rsquo;s processing capabilities. Successful exploitation leads to service disruption and potentially exposes confidential data handled by the affected Apache CXF instance. This vulnerability poses a significant risk to organizations relying on Apache CXF for their services, potentially impacting availability and data security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Apache CXF endpoint exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request specifically designed to exploit the unspecified vulnerability in Apache CXF.\u003c/li\u003e\n\u003cli\u003eThe malicious request is sent to the vulnerable Apache CXF endpoint.\u003c/li\u003e\n\u003cli\u003eApache CXF processes the malicious request, triggering the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe vulnerability leads to excessive resource consumption on the server, causing a denial of service.\u003c/li\u003e\n\u003cli\u003eThe vulnerability also allows the attacker to potentially access sensitive information processed by Apache CXF, leading to data disclosure.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to further exploit the disclosed information or use the disrupted service as part of a larger attack campaign.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a complete denial of service, rendering applications relying on Apache CXF unavailable. The information disclosure aspect can expose sensitive data, potentially leading to further compromise, reputational damage, and legal repercussions. The number of potential victims is broad, encompassing any organization using vulnerable versions of Apache CXF.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement rate limiting on Apache CXF endpoints to mitigate potential DoS attacks (Log Source: Webserver).\u003c/li\u003e\n\u003cli\u003eMonitor Apache CXF logs for unusual request patterns that may indicate exploitation attempts (Log Source: Webserver).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Apache CXF Request\u003c/code\u003e to identify potential exploitation attempts (Sigma Rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-apache-cxf-dos-info-disclosure/","summary":"An anonymous remote attacker can exploit a vulnerability in Apache CXF to perform a denial of service attack and disclose sensitive information.","title":"Apache CXF Vulnerability Allows DoS and Information Disclosure","url":"https://feed.craftedsignal.io/briefs/2026-03-apache-cxf-dos-info-disclosure/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["jboss","undertow","denial-of-service","cache-poisoning","session-hijacking","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities exist within the Red Hat JBoss Enterprise Application Platform. An unauthenticated, remote attacker can exploit these flaws to trigger a denial-of-service (DoS) condition, manipulate sensitive data, and facilitate subsequent attacks, including cache poisoning and session hijacking. The vulnerabilities exist in the Undertow component. While specific CVEs are not listed in the advisory, the impact could be significant, leading to service disruption and potential data compromise. Defenders should focus on patching and monitoring for suspicious activity targeting JBoss instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable JBoss Enterprise Application Platform instance running an outdated version of Undertow.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a specially crafted HTTP request designed to exploit a specific vulnerability within Undertow\u0026rsquo;s request processing logic.\u003c/li\u003e\n\u003cli\u003eIf the vulnerability leads to a DoS, the server\u0026rsquo;s resources are exhausted, causing it to become unresponsive to legitimate requests.\u003c/li\u003e\n\u003cli\u003eIf the vulnerability allows data manipulation, the attacker modifies application data via HTTP requests.\u003c/li\u003e\n\u003cli\u003eFor cache poisoning, the attacker crafts a request that, when cached by the application or a proxy, serves malicious content to other users.\u003c/li\u003e\n\u003cli\u003eFor session hijacking, the attacker exploits a vulnerability that allows them to steal or forge user session IDs.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the hijacked session to impersonate a legitimate user and gain unauthorized access to sensitive resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to significant disruption of services relying on the JBoss Enterprise Application Platform. This includes denial-of-service conditions, potentially impacting business operations and user experience. Data manipulation could lead to data corruption or unauthorized modification of sensitive information. Cache poisoning can spread malicious content to a wide range of users. Session hijacking allows attackers to gain unauthorized access, potentially leading to data breaches or further malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eExamine web server logs for abnormal HTTP requests that could indicate exploitation attempts (see example Sigma rule for detecting suspicious HTTP methods).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual patterns that may indicate denial-of-service attacks targeting JBoss servers.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) to filter out malicious requests and protect against common web exploits.\u003c/li\u003e\n\u003cli\u003eApply the latest patches and updates for Red Hat JBoss Enterprise Application Platform, focusing on the Undertow component, to remediate the underlying vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T10:23:05Z","date_published":"2026-03-25T10:23:05Z","id":"/briefs/2026-03-jboss-vulns/","summary":"An anonymous remote attacker can exploit multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform to cause a denial-of-service condition, manipulate data, and conduct further attacks such as cache poisoning and session hijacking.","title":"Red Hat JBoss Enterprise Application Platform Multiple Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-03-jboss-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["craftcms","rce","vulnerability","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCraft CMS versions 5.6.0 through 5.9.12 are susceptible to a remote code execution (RCE) vulnerability (CVE-2026-33157) that bypasses previous security measures implemented to prevent similar attacks. The vulnerability stems from the \u003ccode\u003eElementIndexesController::actionFilterHud()\u003c/code\u003e function, where the \u003ccode\u003efieldLayouts\u003c/code\u003e parameter is passed directly to \u003ccode\u003eFieldLayout::createFromConfig()\u003c/code\u003e without proper sanitization. Any authenticated user with control panel access (\u003ccode\u003eaccessCp\u003c/code\u003e permission) can exploit this flaw by injecting malicious behaviors into the \u003ccode\u003efieldLayouts\u003c/code\u003e configuration. This oversight allows attackers to execute arbitrary code on the server, potentially leading to complete system compromise. Defenders need to implement mitigations to detect and prevent exploitation of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user with control panel access crafts a malicious HTTP request.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003efieldLayouts\u003c/code\u003e array with a configuration containing \u003ccode\u003e\u0026quot;as \u0026lt;name\u0026gt;\u0026quot;\u003c/code\u003e prefixed keys within the request body to the \u003ccode\u003e/admin/element-indexes/filter-hud\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eElementIndexesController::actionFilterHud()\u003c/code\u003e receives the \u003ccode\u003efieldLayouts\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efieldLayouts\u003c/code\u003e parameter is passed to \u003ccode\u003eFieldLayout::createFromConfig($config)\u003c/code\u003e without sanitization.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eFieldLayout::createFromConfig($config)\u003c/code\u003e invokes \u003ccode\u003eModel::__construct($config)\u003c/code\u003e, which processes each key in the configuration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e\u0026quot;as rce\u0026quot;\u003c/code\u003e key triggers \u003ccode\u003eComponent::__set(\u0026quot;as rce\u0026quot;, $value)\u003c/code\u003e, which leads to the instantiation of \u003ccode\u003eAttributeTypecastBehavior\u003c/code\u003e and its attachment to the FieldLayout via \u003ccode\u003eYii::createObject($value)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAn \u003ccode\u003e\u0026quot;on *\u0026quot;\u003c/code\u003e key registers a wildcard event handler. Subsequently, \u003ccode\u003eparent::__construct()\u003c/code\u003e is called followed by \u003ccode\u003einit()\u003c/code\u003e -\u0026gt; \u003ccode\u003esetTabs([])\u003c/code\u003e -\u0026gt; \u003ccode\u003egetAvailableNativeFields()\u003c/code\u003e -\u0026gt; \u003ccode\u003etrigger(EVENT_DEFINE_NATIVE_FIELDS)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe wildcard handler fires, triggering \u003ccode\u003eAttributeTypecastBehavior::beforeSave()\u003c/code\u003e -\u0026gt; \u003ccode\u003etypecastAttributes()\u003c/code\u003e. The vulnerability results in \u003ccode\u003e$this-\u0026gt;owner-\u0026gt;typecastBeforeSave\u003c/code\u003e being resolved via \u003ccode\u003eComponent::__get()\u003c/code\u003e which returns the command string from the behavior\u0026rsquo;s own property, finally reaching \u003ccode\u003ecall_user_func([ConsoleProcessus::class, 'execute'], $command)\u003c/code\u003e -\u0026gt; \u003ccode\u003eshell_exec($command)\u003c/code\u003e enabling remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows any authenticated user with control panel access to execute arbitrary code on the Craft CMS server. Successful exploitation can lead to complete system compromise, including data theft, modification, or destruction. This RCE vulnerability can have significant impacts on organizations using affected versions of Craft CMS (5.6.0 through 5.9.12).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect exploitation attempts by monitoring for HTTP requests to \u003ccode\u003e/admin/element-indexes/filter-hud\u003c/code\u003e with the \u003ccode\u003efieldLayouts\u003c/code\u003e parameter in the request body (see Sigma rule \u0026ldquo;Craft CMS RCE Attempt via ElementIndexesController\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eApply available patches or upgrade to a non-vulnerable version of Craft CMS (versions prior to 5.6.0 or later than 5.9.12).\u003c/li\u003e\n\u003cli\u003eRestrict access to the control panel to only trusted users with a legitimate need, reducing the attack surface.\u003c/li\u003e\n\u003cli\u003eReview and audit existing Craft CMS configurations for any suspicious behavior or event injections.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to the \u003ccode\u003eElementIndexesController\u003c/code\u003e and \u003ccode\u003eFieldLayout\u003c/code\u003e components, focusing on POST requests containing potentially malicious configurations (see Sigma rule \u0026ldquo;Craft CMS RCE - AttributeTypecastBehavior\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T16:50:42Z","date_published":"2026-03-24T16:50:42Z","id":"/briefs/2024-01-18-craftcms-rce/","summary":"A remote code execution vulnerability exists in Craft CMS versions 5.6.0 through 5.9.12, where any authenticated user with control panel access can exploit the vulnerability by injecting malicious behavior via the `fieldLayouts` parameter in `ElementIndexesController::actionFilterHud()` due to the unsanitized parameter being passed to `FieldLayout::createFromConfig()`.","title":"Craft CMS Authenticated Remote Code Execution via Malicious Attached Behavior","url":"https://feed.craftedsignal.io/briefs/2024-01-18-craftcms-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2025-60949","information-disclosure","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCensus CSWeb version 8.0.1 is susceptible to a critical vulnerability (CVE-2025-60949) that allows unauthenticated remote attackers to access sensitive configuration files. This exposure occurs because the \u003ccode\u003e/app/config\u003c/code\u003e directory is reachable via HTTP in certain deployments. By sending a specially crafted request to this path, an attacker can potentially obtain sensitive information, such as API keys, database credentials, and other secrets stored within the configuration files. This vulnerability was publicly disclosed on March 23, 2026, and a fix is available in version 8.1.0 alpha. Exploitation of this vulnerability can lead to significant data breaches and compromise of the affected system. Defenders should prioritize identifying and patching vulnerable instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target running Census CSWeb 8.0.1.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP GET request to \u003ccode\u003e/app/config\u003c/code\u003e directory or specific files within that directory.\u003c/li\u003e\n\u003cli\u003eThe vulnerable server processes the request without proper authentication or access controls.\u003c/li\u003e\n\u003cli\u003eThe server responds with the contents of the configuration files, potentially containing sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the configuration files to extract sensitive data, such as API keys, database credentials, or internal IP addresses.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to gain unauthorized access to databases, APIs, or other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the compromised systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-60949 can lead to the exposure of sensitive information, including API keys, database credentials, and other secrets. This can allow attackers to gain unauthorized access to critical systems, leading to data breaches, financial loss, and reputational damage. The vulnerability affects all deployments of Census CSWeb 8.0.1 where the \u003ccode\u003e/app/config\u003c/code\u003e directory is exposed via HTTP.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Census CSWeb version 8.1.0 alpha or later to patch CVE-2025-60949.\u003c/li\u003e\n\u003cli\u003eImplement access controls to restrict access to the \u003ccode\u003e/app/config\u003c/code\u003e directory to authorized personnel only.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unauthenticated Access to Configuration Files\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/app/config\u003c/code\u003e to detect unauthorized access attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T14:00:00Z","date_published":"2026-03-24T14:00:00Z","id":"/briefs/2026-03-census-csweb-config-disclosure/","summary":"Census CSWeb 8.0.1 is vulnerable to unauthenticated remote configuration file disclosure via HTTP requests to the `/app/config` path, potentially exposing sensitive secrets; fixed in 8.1.0 alpha.","title":"Census CSWeb 8.0.1 Configuration File Disclosure Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-census-csweb-config-disclosure/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-4750","out-of-bounds read","webserver","woof"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAn out-of-bounds read vulnerability exists in fabiangreffrath woof, a web server for simple file sharing. This vulnerability, identified as CVE-2026-4750, affects woof versions prior to 15.3.0. The vulnerability was reported by the Government Technology Agency of Singapore Cyber Security Group (GovTech CSG). An attacker could potentially exploit this vulnerability to read sensitive information from the server\u0026rsquo;s memory or cause a denial-of-service condition. This poses a risk to organizations…\u003c/p\u003e\n","date_modified":"2026-03-24T06:16:23Z","date_published":"2026-03-24T06:16:23Z","id":"/briefs/2026-03-woof-oob-read/","summary":"CVE-2026-4750 is a critical out-of-bounds read vulnerability affecting fabiangreffrath woof versions before 15.3.0, potentially leading to information disclosure or denial of service.","title":"Out-of-bounds Read Vulnerability in fabiangreffrath woof (CVE-2026-4750)","url":"https://feed.craftedsignal.io/briefs/2026-03-woof-oob-read/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","cve-2026-4623","jeson-crm","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA server-side request forgery (SSRF) vulnerability, identified as CVE-2026-4623, has been discovered in DefaultFuction Jeson-Customer-Relationship-Management-System up to version 1b4679c4d06b90d31dd521c2b000bfdec5a36e00. The vulnerability resides within the API Module, specifically in the /api/System.php file. An attacker can remotely manipulate the \u0026lsquo;url\u0026rsquo; argument, causing the server to make requests to unintended locations. Due to the product\u0026rsquo;s continuous delivery with rolling releases, specific version details are unavailable. A patch to address the vulnerability is identified as f76e7123fe093b8675f88ec8f71725b0dd186310/98bd4eb07fa19d4f2c5228de6395580013c97476. This vulnerability poses a significant risk as it allows attackers to potentially access internal resources, bypass security controls, and potentially escalate privileges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an instance of DefaultFuction Jeson-Customer-Relationship-Management-System running version \u0026lt;= 1b4679c4d06b90d31dd521c2b000bfdec5a36e00.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the \u003ccode\u003e/api/System.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes the \u003ccode\u003eurl\u003c/code\u003e parameter, modified to point to an internal resource or external server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe server-side application processes the malicious request without proper validation of the \u003ccode\u003eurl\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application initiates an HTTP request to the attacker-controlled URL or internal resource specified in the \u003ccode\u003eurl\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe server receives the response from the attacker-controlled server or internal resource.\u003c/li\u003e\n\u003cli\u003eThe application may process the response, potentially exposing sensitive information or allowing further exploitation.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains access to sensitive information, internal resources, or the ability to perform actions on behalf of the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-4623) can lead to the exposure of sensitive internal data, such as configuration files, database credentials, or API keys. It may also allow attackers to bypass security controls, access internal services not intended for public access, and potentially escalate privileges within the application or the underlying infrastructure. Due to lack of information on the specific scope of usage for this CRM, the total number of potential victims is unclear. Organizations utilizing this vulnerable CRM are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch identified as f76e7123fe093b8675f88ec8f71725b0dd186310/98bd4eb07fa19d4f2c5228de6395580013c97476 to mitigate the CVE-2026-4623 vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Jeson CRM System.php SSRF Attempt\u0026rdquo; to your SIEM to detect exploitation attempts against the \u003ccode\u003e/api/System.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization on the \u003ccode\u003eurl\u003c/code\u003e parameter within the \u003ccode\u003e/api/System.php\u003c/code\u003e endpoint to prevent malicious URL manipulation.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u003ccode\u003e/api/System.php\u003c/code\u003e endpoint, specifically those containing unusual or unexpected URLs in the \u003ccode\u003eurl\u003c/code\u003e parameter, to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T03:16:06Z","date_published":"2026-03-24T03:16:06Z","id":"/briefs/2026-03-jeson-crm-ssrf/","summary":"A server-side request forgery (SSRF) vulnerability exists in the DefaultFuction Jeson-Customer-Relationship-Management-System's API Module, specifically affecting the /api/System.php file, allowing remote attackers to manipulate the 'url' argument and potentially access internal resources.","title":"DefaultFuction Jeson-Customer-Relationship-Management-System Server-Side Request Forgery Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-jeson-crm-ssrf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ssrf","avideo","cve-2026-33502","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAVideo, an open-source video platform, is affected by a critical unauthenticated Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-33502) in versions up to and including 26.0. The vulnerability exists within the \u003ccode\u003eplugin/Live/test.php\u003c/code\u003e file. An attacker can exploit this flaw to force the AVideo server to make HTTP requests to arbitrary URLs.  Successful exploitation allows attackers to probe internal network services, potentially accessing sensitive internal HTTP resources, cloud metadata endpoints, and other protected assets. The patch for this vulnerability is included in commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3. This vulnerability poses a significant risk, as it does not require authentication and can lead to the exposure of sensitive information and potential compromise of internal infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an AVideo instance running a vulnerable version (\u0026lt;= 26.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003eplugin/Live/test.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a URL parameter pointing to an internal resource (e.g., \u003ccode\u003ehttp://localhost/admin\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe AVideo server, without proper validation, processes the request and sends an HTTP request to the attacker-specified URL.\u003c/li\u003e\n\u003cli\u003eThe server receives the HTTP response from the internal resource.\u003c/li\u003e\n\u003cli\u003eThe server may return the content of the internal resource to the attacker, depending on the AVideo application logic.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the returned content, potentially gaining access to sensitive information like configuration files, API keys, or internal service endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the exposed information to further compromise the AVideo instance or the internal network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-33502) can lead to the exposure of sensitive internal resources, including configuration files, API keys, and cloud metadata.  This can enable attackers to gain unauthorized access to internal systems, escalate privileges, and potentially compromise the entire infrastructure. The number of affected AVideo instances is currently unknown, but given its open-source nature, it is potentially widespread across various sectors. A successful attack can lead to data breaches, service disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade AVideo instances to a patched version containing commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 to remediate CVE-2026-33502.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AVideo SSRF Attempt via plugin Live Test\u003c/code\u003e to identify potential exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict access to internal resources and mitigate the impact of successful SSRF exploitation.\u003c/li\u003e\n\u003cli\u003eReview webserver logs for suspicious requests to \u003ccode\u003eplugin/Live/test.php\u003c/code\u003e with unusual URL parameters (log source: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T17:16:51Z","date_published":"2026-03-23T17:16:51Z","id":"/briefs/2024-01-24-avideo-ssrf/","summary":"AVideo versions up to 26.0 are vulnerable to an unauthenticated server-side request forgery (SSRF) vulnerability in the `plugin/Live/test.php` endpoint, allowing attackers to make the server send arbitrary HTTP requests, potentially exposing internal resources and cloud metadata.","title":"AVideo Unauthenticated Server-Side Request Forgery Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-24-avideo-ssrf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Traefik"],"_cs_severities":["high"],"_cs_tags":["traefik","authentication-bypass","webserver"],"_cs_type":"advisory","_cs_vendors":["Traefik"],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability impacts Traefik instances utilizing the \u003ccode\u003eForwardAuth\u003c/code\u003e middleware with \u003ccode\u003etrustForwardHeader=false\u003c/code\u003e, when deployed behind a trusted upstream proxy. This vulnerability arises from Traefik\u0026rsquo;s failure to properly sanitize the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header. Although Traefik correctly rebuilds other \u003ccode\u003eX-Forwarded-*\u003c/code\u003e headers like \u003ccode\u003eX-Forwarded-For\u003c/code\u003e and \u003ccode\u003eX-Forwarded-Host\u003c/code\u003e, it does not strip or rebuild \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e. An attacker can inject a malicious \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e value, which is then passed to the authentication service in the subrequest. If the authentication service relies on the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header for authorization decisions, an attacker can bypass access controls and reach protected backend routes. This issue affects Traefik versions v2.11.x before v2.11.43, v3.6.x before v3.6.14, and v3.7.0-rc.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a request with a crafted \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header (e.g., \u003ccode\u003eX-Forwarded-Prefix: /admin\u003c/code\u003e) to a trusted upstream proxy (e.g., nginx).\u003c/li\u003e\n\u003cli\u003eThe trusted proxy forwards the request to the Traefik instance.\u003c/li\u003e\n\u003cli\u003eTraefik\u0026rsquo;s \u003ccode\u003eStripPrefix\u003c/code\u003e middleware processes the request, stripping a configured prefix (e.g., \u003ccode\u003e/forbidden\u003c/code\u003e) and appending it to the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header using \u003ccode\u003eHeader.Add\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eForwardAuth\u003c/code\u003e middleware creates a subrequest to the authentication service, copying all incoming headers, including the attacker-controlled \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e and the \u003ccode\u003eStripPrefix\u003c/code\u003e-added value.\u003c/li\u003e\n\u003cli\u003eThe authentication service receives the subrequest with the concatenated \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e values, where the attacker\u0026rsquo;s value appears first (e.g., \u003ccode\u003eX-Forwarded-Prefix: /admin, /forbidden\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe authentication service incorrectly uses the attacker-supplied \u003ccode\u003e/admin\u003c/code\u003e prefix to make authorization decisions.\u003c/li\u003e\n\u003cli\u003eThe authentication service authorizes the request due to the spoofed prefix.\u003c/li\u003e\n\u003cli\u003eTraefik forwards the request to the protected backend route, granting the attacker unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows unauthenticated attackers to bypass access controls and gain unauthorized access to protected backend routes. This can lead to data breaches, unauthorized modification of resources, and other security compromises. The impact is especially severe in environments where \u003ccode\u003eStripPrefix\u003c/code\u003e is used before \u003ccode\u003eForwardAuth\u003c/code\u003e, and where the authentication service relies heavily on the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header for authorization decisions. The number of affected deployments is unknown but likely significant, given Traefik\u0026rsquo;s popularity as a reverse proxy and load balancer.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Traefik version v2.11.43, v3.6.14, or v3.7.0-rc.2 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eAs a workaround, if upgrading is not immediately feasible, configure your authentication service to validate and sanitize the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header, ensuring it only trusts values originating from the trusted proxy.\u003c/li\u003e\n\u003cli\u003eImplement the following Sigma rule to detect suspicious requests with the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header targeting the \u003ccode\u003e/forbidden\u003c/code\u003e path, indicating potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and harden your Traefik configuration to ensure that the \u003ccode\u003etrustForwardHeader\u003c/code\u003e parameter is appropriately set based on your deployment environment and trust relationships.\u003c/li\u003e\n\u003cli\u003eMonitor Traefik access logs for suspicious activity, especially requests with unusual \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e values, using the \u003ccode\u003ewebserver\u003c/code\u003e log source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"/briefs/2024-07-traefik-auth-bypass/","summary":"A high-severity authentication bypass vulnerability exists in Traefik's `ForwardAuth` middleware when `trustForwardHeader=false` is configured and Traefik is deployed behind a trusted upstream proxy; Traefik fails to sanitize the `X-Forwarded-Prefix` header, allowing attackers to spoof a trusted prefix value and gain unauthorized access to protected backend routes.","title":"Traefik ForwardAuth Authentication Bypass via X-Forwarded-Prefix Spoofing","url":"https://feed.craftedsignal.io/briefs/2024-07-traefik-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7223"}],"_cs_exploited":false,"_cs_products":["HyperChat"],"_cs_severities":["high"],"_cs_tags":["ssrf","vulnerability","webserver"],"_cs_type":"advisory","_cs_vendors":["BigSweetPotatoStudio"],"content_html":"\u003cp\u003eA server-side request forgery (SSRF) vulnerability, identified as CVE-2026-7223, affects BigSweetPotatoStudio HyperChat up to version 2.0.0-alpha.63. The vulnerability resides in the \u0026lsquo;fetch\u0026rsquo; function within the AI Proxy Middleware located at \u003ccode\u003epackages/core/src/http/aiProxyMiddleware.mts\u003c/code\u003e. By manipulating the \u003ccode\u003ebaseurl\u003c/code\u003e argument, a remote attacker can force the server to make arbitrary HTTP requests to internal or external resources. This issue allows attackers to potentially access sensitive information, bypass security controls, or perform other malicious actions. The vulnerability is remotely exploitable, and a public exploit is available, increasing the risk of widespread exploitation. The project maintainers were notified but have not responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an instance of BigSweetPotatoStudio HyperChat running version 2.0.0-alpha.63 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the AI Proxy Middleware component.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated \u003ccode\u003ebaseurl\u003c/code\u003e argument within the request to the \u003ccode\u003efetch\u003c/code\u003e function, pointing to an internal resource (e.g., \u003ccode\u003ehttp://localhost:8080/admin\u003c/code\u003e) or an external server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe HyperChat server, without proper validation of the \u003ccode\u003ebaseurl\u003c/code\u003e, uses it to make an HTTP request.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003ebaseurl\u003c/code\u003e points to an internal resource, the server retrieves the content of that resource and sends it back to the attacker.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003ebaseurl\u003c/code\u003e points to an external server, the server makes a request to the attacker\u0026rsquo;s server, potentially leaking sensitive information in the request headers or body.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the response from the server to gather sensitive information or identify further attack vectors.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-7223) can allow an attacker to read sensitive internal data, such as configuration files or API keys, potentially leading to full system compromise. The attacker could also use the vulnerable server as a proxy to scan internal networks or attack other internal systems. Due to the public availability of the exploit, organizations using vulnerable versions of HyperChat are at increased risk of being targeted. The CVSS v3.1 base score for this vulnerability is 7.3, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization to the \u003ccode\u003ebaseurl\u003c/code\u003e argument in the AI Proxy Middleware to prevent manipulation, addressing CVE-2026-7223.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict access from the HyperChat server to only necessary internal resources.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;HyperChat SSRF Attempt\u0026rdquo; to detect attempts to exploit the vulnerability via HTTP request patterns.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious outbound connections originating from the HyperChat server, correlating with user input.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-23-hyperchat-ssrf/","summary":"A server-side request forgery (SSRF) vulnerability exists in BigSweetPotatoStudio HyperChat up to version 2.0.0-alpha.63, allowing a remote attacker to manipulate the 'baseurl' argument in the 'fetch' function of the AI Proxy Middleware component to make arbitrary HTTP requests.","title":"BigSweetPotatoStudio HyperChat AI Proxy Middleware Server-Side Request Forgery","url":"https://feed.craftedsignal.io/briefs/2024-01-23-hyperchat-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2022-50992"}],"_cs_exploited":true,"_cs_products":["E-cology 9.5"],"_cs_severities":["critical"],"_cs_tags":["cve-2022-50992","file-read","vulnerability","webserver"],"_cs_type":"threat","_cs_vendors":["Weaver (Fanwei)"],"content_html":"\u003cp\u003eWeaver (Fanwei) E-cology 9.5 versions prior to 10.52 are vulnerable to an arbitrary file read vulnerability (CVE-2022-50992) within the XmlRpcServlet interface. This vulnerability is located at the XML-RPC endpoint and allows unauthenticated remote attackers to read arbitrary files on the system. The attack leverages the \u003ccode\u003eWorkflowService.getAttachment\u003c/code\u003e and \u003ccode\u003eWorkflowService.LoadTemplateProp\u003c/code\u003e methods, which can be accessed without authentication, to supply file paths. Successful exploitation enables attackers to retrieve sensitive files, including system configuration files and database credentials, from the compromised server. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-12-14 (UTC), highlighting active exploitation of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Weaver E-cology 9.5 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted XML-RPC request to the XmlRpcServlet endpoint.\u003c/li\u003e\n\u003cli\u003eThe request invokes either the \u003ccode\u003eWorkflowService.getAttachment\u003c/code\u003e or \u003ccode\u003eWorkflowService.LoadTemplateProp\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a file path to a sensitive file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e, database configuration files) as a parameter in the XML-RPC request.\u003c/li\u003e\n\u003cli\u003eThe vulnerable method processes the request without proper authentication or authorization checks.\u003c/li\u003e\n\u003cli\u003eThe server reads the content of the specified file.\u003c/li\u003e\n\u003cli\u003eThe server returns the file content in the XML-RPC response.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the response to extract the contents of the sensitive file, potentially gaining access to credentials or other sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2022-50992 allows unauthenticated attackers to read arbitrary files on the Weaver E-cology server. This can lead to the disclosure of sensitive information, such as system configuration files, database credentials, and other confidential data. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability. This vulnerability can lead to full system compromise if database credentials are leaked.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Weaver E-cology instances to version 10.52 or later to remediate CVE-2022-50992.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Weaver E-cology File Read via XML-RPC\u003c/code\u003e to identify exploitation attempts targeting the vulnerable XML-RPC endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the XmlRpcServlet endpoint, specifically those containing \u003ccode\u003eWorkflowService.getAttachment\u003c/code\u003e or \u003ccode\u003eWorkflowService.LoadTemplateProp\u003c/code\u003e, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius of a potential compromise and restrict access to sensitive internal resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-weaver-file-read/","summary":"Unauthenticated remote attackers can exploit an arbitrary file read vulnerability (CVE-2022-50992) in Weaver E-cology 9.5 versions prior to 10.52 via the XML-RPC endpoint to access sensitive files.","title":"Weaver E-cology Arbitrary File Read Vulnerability (CVE-2022-50992)","url":"https://feed.craftedsignal.io/briefs/2024-01-weaver-file-read/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["pygeoapi"],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA path traversal vulnerability has been identified in pygeoapi versions 0.23.0, 0.23.1, and 0.23.2, specifically within the STAC (Spatially Aware Catalog) FileSystemProvider plugin. This flaw allows unauthenticated attackers to access unauthorized directories by manipulating URL paths, particularly when pygeoapi is deployed without a proxy or web front end that normalizes URLs containing \u003ccode\u003e..\u003c/code\u003e sequences. The vulnerability arises from improper handling of raw string path concatenation, making systems with STAC collection-based resources in their configuration susceptible to unauthorized file system access. This issue was resolved in version 0.23.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious HTTP request targeting a pygeoapi instance configured with a STAC collection resource.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a URL containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) to navigate the file system.\u003c/li\u003e\n\u003cli\u003epygeoapi\u0026rsquo;s STAC FileSystemProvider plugin receives the request and attempts to resolve the file path.\u003c/li\u003e\n\u003cli\u003eDue to the raw string path concatenation vulnerability, the path traversal sequences are not properly sanitized.\u003c/li\u003e\n\u003cli\u003eThe application constructs an incorrect file path, allowing access to files and directories outside of the intended STAC collection directory.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive information or configuration files located in the exposed directories.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially use the exposed information to further compromise the system.\u003c/li\u003e\n\u003cli\u003eThe final objective is unauthorized access to sensitive data and potentially system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe path traversal vulnerability in pygeoapi allows unauthorized access to directories and files, potentially exposing sensitive data, configuration files, or even source code. The impact depends on the data stored in the exposed directories. Successful exploitation can lead to information disclosure, privilege escalation, and further system compromise. Organizations using vulnerable pygeoapi versions are at risk until they upgrade to version 0.23.3 or implement the recommended workaround.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to pygeoapi version 0.23.3 to patch the vulnerability as detailed in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-f6pr-83pg-ghh6\"\u003ehttps://github.com/advisories/GHSA-f6pr-83pg-ghh6\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eAs an immediate mitigation, disable STAC collection-based resources in the pygeoapi configuration as described in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-f6pr-83pg-ghh6\"\u003ehttps://github.com/advisories/GHSA-f6pr-83pg-ghh6\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;pygeoapi Path Traversal Attempt\u0026rdquo; to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-pygeoapi-path-traversal/","summary":"A path traversal vulnerability exists in pygeoapi versions 0.23.0 to 0.23.2 within the STAC FileSystemProvider plugin, allowing unauthenticated access to directories when deployed without a URL-normalizing proxy.","title":"pygeoapi Path Traversal Vulnerability in STAC FileSystemProvider","url":"https://feed.craftedsignal.io/briefs/2024-01-03-pygeoapi-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["azuracast (\u003c= 0.23.5)"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","rce","azuracast","webserver"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eAzuraCast, a self-hosted web radio management suite, is susceptible to a critical path traversal vulnerability (CVE-2026-42605) in its Flow.js media upload endpoint (\u003ccode\u003e/api/station/{station_id}/files/upload\u003c/code\u003e). This flaw allows an authenticated user with media management permissions, such as a DJ or station manager, to bypass file storage directory restrictions. By manipulating the \u003ccode\u003ecurrentDirectory\u003c/code\u003e parameter during file uploads, attackers can write arbitrary files to locations outside the intended media directory. The vulnerability is present in versions up to and including 0.23.5, and exploitation leads to remote code execution via PHP webshell upload, potentially resulting in full server compromise. The default local filesystem storage backend is required for exploitation; S3 or remote storage is not vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the AzuraCast web interface with a valid user account that has the \u003ccode\u003eStationPermissions::Media\u003c/code\u003e permission (e.g., DJ or Station Manager).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003e/api/station/{station_id}/files/upload\u003c/code\u003e endpoint, targeting a station that uses local storage.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003ecurrentDirectory\u003c/code\u003e parameter containing path traversal sequences (e.g., \u003ccode\u003e../../../../../var/azuracast/www/public\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request also includes a PHP webshell file (\u003ccode\u003eshell.php\u003c/code\u003e) as the \u003ccode\u003efile_data\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe server-side code in \u003ccode\u003eFlowUploadAction.php\u003c/code\u003e concatenates the unsanitized \u003ccode\u003ecurrentDirectory\u003c/code\u003e value with the sanitized filename.\u003c/li\u003e\n\u003cli\u003eThe server attempts to process the uploaded file, but the \u003ccode\u003e.php\u003c/code\u003e extension triggers a \u003ccode\u003eCannotProcessMediaException\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efinally\u003c/code\u003e block in \u003ccode\u003eMediaProcessor.php\u003c/code\u003e executes, calling \u003ccode\u003eLocalFilesystem::upload()\u003c/code\u003e to copy the file to the concatenated path, bypassing normal path sanitization due to \u003ccode\u003ePathPrefixer::prefixPath()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe webshell is written to the web root, allowing the attacker to execute arbitrary commands by accessing the webshell via HTTP.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the AzuraCast server. This can lead to full server compromise, including reading sensitive configuration files (database credentials, API keys), accessing all station data, modifying application code, and potentially escalating privileges to root. A DJ-level user, the lowest privileged role with media access, can achieve the equivalent of full system administrator access, resulting in data exfiltration and complete control over the AzuraCast instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-provided patch by sanitizing the \u003ccode\u003ecurrentDirectory\u003c/code\u003e parameter in \u003ccode\u003eFlowUploadAction.php\u003c/code\u003e using \u003ccode\u003eUploadedFile::filterClientPath()\u003c/code\u003e to prevent path traversal.\u003c/li\u003e\n\u003cli\u003eImplement path normalization in \u003ccode\u003eLocalFilesystem::upload()\u003c/code\u003e to prevent traversal even after concatenation, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AzuraCast Webshell Upload via Path Traversal\u0026rdquo; to identify exploitation attempts based on suspicious \u003ccode\u003ecurrentDirectory\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for access to unusual PHP files in the web root directory, such as \u003ccode\u003eshell.php\u003c/code\u003e as described in the PoC.\u003c/li\u003e\n\u003cli\u003eEnsure that AzuraCast instances do not grant excessive permissions to users; minimize the number of accounts with \u003ccode\u003eStationPermissions::Media\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azuracast-rce/","summary":"AzuraCast is vulnerable to path traversal in the Flow.js media upload endpoint, allowing authenticated users with media permissions to write arbitrary files, leading to remote code execution via PHP webshell upload.","title":"AzuraCast Path Traversal Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-azuracast-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Webserver","version":"https://jsonfeed.org/version/1.1"}