Threat

An unauthenticated SQL injection vulnerability, CVE-2017-20262, in Joomla! Component Ajax Quiz version 1.8 allows attackers to execute arbitrary SQL queries by injecting malicious code through the `cid` parameter in GET requests to `index.php` with `option=com_ajaxquiz` and `view=ajaxquiz`, leading to extraction of sensitive database information.

A Russian-speaking threat group utilized a large dataset of administrative and VPN credentials, likely sourced from exposed FortiGate configuration files and active credential harvesting, to access government, critical infrastructure, and multinational corporate networks, resulting in widespread data exfiltration.

The Qilin ransomware group has claimed a new victim, Commune d'Eyguires (www.eyguieres.org), a public sector entity in France, employing their Golang-based ransomware and double extortion tactics, leading to data encryption and potential public release of exfiltrated information.

Adversaries with privileged Azure RBAC roles are exploiting the Azure VM Serial Console to gain SYSTEM/root access on virtual machines, bypassing network controls like NSGs and JIT policies, with detections focusing on unusual user and source network combinations.

On June 17, 2026, Drupal released critical security advisories (AV26-615) addressing multiple vulnerabilities in Drupal core and several modules including Plotly.js Graphing, Flag attendance field, and Formatter Field, which, if unpatched, could allow remote attackers to compromise affected web servers and sensitive data.

A high-severity cross-site scripting (XSS) vulnerability, tracked as CVE-2026-54002, exists in Kirby CMS versions prior to 4.9.4 and between 5.0.0-alpha.1 and 5.4.3, allowing authenticated Panel users to inject malicious markup into `writer` or `list` fields or via `Sane` API-dependent custom code, leading to stored XSS and potential privilege escalation.

Attackers can exploit Heimdall proxy versions <= 0.17.16 operating in proxy mode by injecting malicious values into the `Host` HTTP header, leading to the construction of a manipulated `Forwarded` header that can spoof client IP addresses for upstream services, potentially bypassing IP-based access controls.

The npm package `praisonai` versions 1.2.3 through 1.7.1 contain a network isolation bypass vulnerability (GHSA-gqmf-56h7-rrpf) in its `SandboxExecutor` component's `network-isolated` mode, allowing non-proxy-aware client commands to establish direct network connections, leading to potential data exfiltration and access to internal services.

A Server-Side Request Forgery (SSRF) vulnerability in PraisonAI's `praisonaiagents` package (versions prior to 1.6.61), specifically within the `searxng_search` and `search_web` tools, allows an attacker to exploit prompt injection by controlling the `searxng_url` parameter, enabling the server to make requests to arbitrary internal endpoints, read responses, perform network enumeration, and potentially expose cloud instance credentials.

Multiple vulnerabilities discovered in Typo3 allow an attacker to achieve remote arbitrary code execution, privilege escalation, data confidentiality compromise, data integrity compromise, security policy bypass, remote indirect code injection (XSS), and SQL injection (SQLi).

CERT-FR has disclosed 31 vulnerabilities in various Microsoft Office products, including CVE-2026-44803 and CVE-2026-47635, which could allow remote code execution, privilege escalation, and data confidentiality compromise.

Multiple high-severity vulnerabilities, including CVE-2025-15467, affect various Siemens SCALANCE LPE, M, W, and X series industrial network devices, potentially allowing a remote attacker to achieve arbitrary code execution, provoke a denial of service, or compromise data confidentiality, with some products confirmed to receive no future patches.

The Lazarus Group is conducting a brandjacking campaign on npm, using dozens of malicious packages like 'buffer-utilities' to deploy a Node.js backdoor that collects host information, establishes C2 communication, and maintains persistent attacker-controlled code execution, primarily targeting developers.

This brief summarizes newly published IOCs consisting of domains and URLs associated with the Kimsuky APT group as of June 2nd, 2026, sourced from a Maltrail feed.

Iran's MOIS has broadened the Handala brand to encompass physical threat operations, recruiting proxies to conduct attacks, espionage, and sabotage against US and Israeli interests, amplifying both cyber and physical threats.

Operation FlutterBridge is a malvertising campaign targeting macOS users with the new FlutterShell backdoor, which uses malicious desktop applications for adware distribution and provides backdoor capabilities such as command execution and file system manipulation, with some variants using AI summarization for data exfiltration.

CVE-2026-24089 describes a memory corruption vulnerability in processing fastboot commands with invalid input, potentially leading to arbitrary code execution on affected devices and requiring physical access to trigger.

A stack-based buffer overflow vulnerability (CVE-2026-10293) exists in UTT HiPER 1200GW up to version 2.5.3-170306 due to the strcpy function in /goform/formFireWall, allowing remote exploitation via manipulation of the Profile argument.

WP AutoSuggest version 0.24 contains an SQL injection vulnerability that allows an unauthenticated attacker to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter via GET requests to autosuggest.php, potentially extracting sensitive database information.

This rule detects unusual child process executions originating from web server processes on Linux systems, which attackers may use to maintain persistence on a compromised system by exploiting web server vulnerabilities.

Identifies suspicious command executions via a web server on Linux systems, which may suggest a vulnerability and remote shell access.

This rule detects the exploitation of a web server through the execution of a suspicious process by common web server user accounts within a containerized environment, potentially indicating the uploading of a web shell to maintain system access, and covers persistence, execution, and command and control tactics.

An arbitrary file read vulnerability exists in Vitest when the UI server is listening, especially when exposed to the network, allowing an attacker to read arbitrary files outside the project directory and potentially execute arbitrary scripts.

Dell released security advisories in May 2026 to address vulnerabilities in PowerEdge Server Chipset Driver, Data Lakehouse, Dell Enterprise SONiC Distribution, and Dell Unity/UnityVSA/Unity XT.

This brief analyzes a Maltrail IOC list from June 1, 2026, identifying domains and IP addresses associated with various malware and threat actors, including android_fvncbot, lummac2, magentocore, sectoprat, apt_lazarus, offloader, android_joker, cyberstrikeai, and nightshadec2, potentially used for command and control, malware distribution, or phishing campaigns.

A SQL injection vulnerability exists in raisulislamg4's student_management_system_by_php up to commit 310d950e09013d5133c6b9210aff9444382d16d1, allowing remote attackers to execute arbitrary SQL commands by manipulating the Username argument in login_check.php.

A remote code injection vulnerability (CVE-2026-10220) exists in NousResearch hermes-agent versions up to 2026.4.30, affecting the _serve_plugin_skill/skill_view function in tools/skills_tool.py, potentially allowing attackers to inject arbitrary code.

A stack-based buffer overflow vulnerability, CVE-2026-10187, exists in the setWiFiBasicConfig function of the wireless.so file in the Web Management Interface of Totolink N300RH version 6.1c.1353_B20190305, allowing a remote attacker to execute arbitrary code by manipulating the KeyStr argument.

CVE-2026-10178 is a remote SQL injection vulnerability in code-projects Online Music Site 1.0, affecting the /Administrator/PHP/AdminEditAlbum.php file due to manipulation of the ID argument.

CVE-2026-44839 is a cross-site scripting (XSS) vulnerability in the RabbitMQ management UI that arises from unsanitized virtual host (vhost) names, potentially allowing an attacker to execute arbitrary JavaScript in the context of a user's browser.

CVE-2026-42790 is a vulnerability in Microsoft products related to name constraints DNS bypass via subject CommonName fallback in public_key hostname verification.

CVE-2026-10167 is an improper authentication vulnerability in OUSL-GROUP-BrinaryBrains School Student Management System allowing a remote attacker to manipulate the 'role' argument to bypass authentication.

A stack-based buffer overflow vulnerability (CVE-2026-10125) exists in the formPPPoESetup function of the /goform/formPPPoESetup file in Edimax BR-6478AC version 1.23, allowing a remote attacker to execute arbitrary code by manipulating the pppUserName argument in a POST request; a public exploit is available.

A stack-based buffer overflow vulnerability exists in Shibby Tomato up to version 1.28 in the rip_zebra_read_ipv4 function within the /usr/sbin/ripd component (Zserv Handler), allowing a remote attacker to execute arbitrary code.

Yot CMS 3.3.1 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters in GET requests, potentially leading to database information disclosure.

Gate Pass Management System 2.1 is vulnerable to SQL injection via the login-exec.php endpoint, allowing unauthenticated attackers to bypass authentication and gain unauthorized access to the application by injecting SQL code in the login and password parameters.

SIM-PKH version 2.4.1 is vulnerable to SQL injection (CVE-2018-25410), allowing an authenticated attacker to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter via a crafted GET request, potentially leading to database information disclosure.

Open ISES Project 3.30A is vulnerable to path traversal (CVE-2018-25408), allowing unauthenticated attackers to download arbitrary files by manipulating the filename parameter in the ajax/download.php endpoint, potentially exposing configuration and system files.

eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities allowing unauthenticated attackers to execute arbitrary SQL queries via crafted parameters in mod.php.

eNdonesia Portal 8.7 is vulnerable to SQL injection (CVE-2018-25406), allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through specific parameters, potentially leading to data exfiltration.

eNdonesia Portal version 8.7 is vulnerable to SQL injection (CVE-2018-25405), allowing unauthenticated attackers to execute arbitrary SQL queries through the artid, cid, did, contid, and aboutid parameters in mod.php, potentially leading to the extraction of sensitive database information.

A public exploit is available for an OS Command Injection vulnerability in Dolibarr ERP/CRM versions prior to 17.0.1 (CVE-2023-30253), which allows authenticated users to inject PHP code via the Website/CMS module to obtain a reverse shell as the www-data user.

PraisonAI Platform's workspace-scoped REST routes have an object-level authorization flaw allowing authenticated users from one workspace to access, modify, and delete objects in another workspace by providing the victim object's global UUID.

PraisonAI Platform is vulnerable to cross-workspace IDOR and member-role privilege escalation, allowing unauthorized users to read, update, or delete resources across workspaces, escalate privileges, and potentially take over accounts and workspaces due to insufficient access controls and role enforcement.

Multiple vulnerabilities in Centreon Web versions 25.10.x before 25.10.12 and versions before 24.10.25 allow a remote attacker to achieve arbitrary code execution and bypass security policies.

A remote, authenticated attacker can exploit multiple vulnerabilities in OpenClaw to bypass security mechanisms, gain elevated privileges, disclose information, manipulate configurations, execute arbitrary commands or code, and attack internal systems via SSRF.

Multiple vulnerabilities exist in Check Point Security Gateway that could be exploited by an attacker to perform a denial of service attack, disclose information, and perform a SQL injection attack.

CVE-2026-46107 is a reported vulnerability in dm-thin, leading to a metadata refcount underflow.

ESET's APT Activity Report for Q4 2025 and Q1 2026 highlights diverse campaigns by China, Iran, North Korea, and Russia-aligned threat actors, including espionage, supply chain compromise, and destructive attacks.

Dulwich is vulnerable to command injection (CVE-2026-42563). By injecting malicious file paths through a crafted git tree, an attacker can achieve arbitrary command execution when a victim merges an untrusted branch because the `ProcessMergeDriver` substitutes the file path into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`.

The likely Russian-aligned GreyVibe group is targeting Ukrainian organizations with AI-generated lures delivered via spear-phishing and malicious websites, deploying custom malware such as PhantomRelay, LegionRelay, and FallSpy to exfiltrate sensitive data.

CVE-2026-46837 is a SQL injection vulnerability in Oracle Flow Manufacturing within Oracle E-Business Suite versions 12.2.9 through 12.2.15, allowing a low-privileged attacker with network access to potentially take over the application.

CVE-2026-46835 is an easily exploitable vulnerability in Oracle Database Server's Net Service component, affecting versions 23.4.0 to 23.26.2, allowing an unauthenticated attacker with network access via TLS to cause a complete denial-of-service (DoS).

Detection of expand.exe being used to extract Microsoft Cabinet (CAB) archives, specifically when extracting to C:\ProgramData or similar staging locations, potentially indicating ingress tool transfer and payload staging by threat actors like APT37.

This analytic detects internal systems generating an unusually high volume of intrusion detections within a 30-minute window using Cisco Secure Firewall Threat Defense logs, identifying hosts triggering more than 15 Snort-based signatures, which may indicate suspicious activity like malware execution, command-and-control communication, vulnerability scanning, or lateral movement.

The Gentlemen ransomware, operated by Storm-2697 as a RaaS, employs a combination of strong per-file encryption with aggressive self-propagation to achieve broad network compromise, targeting Windows environments and using double extortion tactics.

CVE-2026-8380 is a critical authorization bypass vulnerability in the WordPress Frontend File Manager plugin <= 23.6 that allows authenticated low-privilege users, or unauthenticated users with guest uploads enabled, to permanently delete arbitrary WordPress posts, pages, attachments, and custom post types.

An unpatched argument injection vulnerability in Gogs (versions 0.14.2 and 0.15.0+dev) allows authenticated attackers to achieve remote code execution (RCE) on vulnerable instances, potentially leading to complete server compromise.

Multiple vulnerabilities exist in Jenkins Plugins that could allow an attacker to disclose information, manipulate files, conduct cross-site scripting attacks, execute arbitrary code, and bypass security measures.

The 2026 FIFA World Cup faces significant cyber threats from ransomware groups, state-aligned entities like Iran-nexus Handala Hack Team and Russia-nexus NoName057(16), and financially motivated cybercriminals, anticipating disruptive intrusions, large-scale criminal fraud, and politically driven DDoS and hack-and-leak operations targeting fans, hospitality services, and tournament infrastructure.

CVE-2026-4408 describes a remote command execution vulnerability in Samba file servers and classic domain controllers where a misconfigured 'check password script' feature, using the %u substitution character without proper escaping, allows attackers to execute arbitrary commands.

The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF), leading to arbitrary file deletion via SQL injection and PHP object injection due to missing nonce verification and unsafe deserialization, allowing attackers to delete arbitrary files on the server.

A remote, anonymous attacker can exploit a vulnerability in Apache Tika to read sensitive data or trigger malicious requests to internal resources or third-party servers.

A remote, anonymous attacker can exploit a vulnerability in VMware Tanzu Spring Framework to perform a denial of service attack.

CVE-2026-45842 is an unspecified vulnerability affecting Microsoft products, requiring further investigation to determine the specific attack vector, impact, and affected systems.

CVE-2026-44899 is a CSS Injection vulnerability in the Mistune Image Directive, potentially allowing for malicious CSS injection if user-supplied content is not properly sanitized.

Microsoft published CVE-2025-71305, addressing a vulnerability related to insufficient protection against zero VCPI values in DisplayPort Multi-Stream Transport (MST), although specifics on exploitation and impact are not detailed in the provided source.

CVE-2026-45843 is a Microsoft vulnerability with unspecified details at the time of this brief.

Yamcs is vulnerable to authenticated remote code execution (CVE-2026-46621) where an authenticated user with the ChangeMissionDatabase privilege can inject malicious Jython code into existing Python algorithms, leading to arbitrary command execution on the underlying host operating system.

Cyber extortion is increasingly relying on data theft rather than ransomware encryption, with threat actors like Bling Libra and TGR-CRI-1135 leveraging techniques like vishing and software supply chain compromise, fueled by regulatory compliance pressures and the impending weaponization of frontier AI models.

Symfony's Mime Address component is susceptible to email header and SMTP command injection due to accepting CRLF characters within email addresses, leading to potential header manipulation or unauthorized SMTP commands in symfony/mime and symfony/symfony versions prior to 5.4.52, versions 6.0.0 to before 6.4.40, versions 7.0.0 to before 7.4.12 and versions 8.0.0 to before 8.0.12.

A critical deserialization of untrusted data vulnerability (CVE-2025-54539) exists in Apache ActiveMQ NMS AMQP Client <= v2.3.0, where an attacker controlling or impersonating an AMQP broker can send malicious serialized data that the client deserializes unsafely, allowing arbitrary code execution on the client system.

Kirby CMS is vulnerable to stored cross-site scripting (XSS) due to insufficient sanitization of links within KirbyTags and image blocks, allowing authenticated users with content editing privileges to inject malicious JavaScript that executes when other users interact with the crafted links on the site frontend; patched in versions 4.9.1 and 5.4.1.

This rule detects suspicious network activity from tools or scripts attempting to access the cloud service provider's Instance Metadata Service (IMDS) API endpoint, potentially retrieving sensitive instance-specific information and credentials.

The rule identifies command-line executions that attempt to access cloud service provider's Instance Metadata Service (IMDS) API endpoints, potentially retrieving sensitive instance information and temporary security credentials, ultimately leading to credential access and privilege escalation within the cloud environment.

A remote, anonymous attacker can exploit a vulnerability in 7-Zip to execute arbitrary program code on Windows, Linux, and macOS systems.

The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion (CVE-2026-9200) in versions up to 0.2.1, allowing authenticated attackers with contributor-level access and above to include and execute arbitrary PHP files on the server, potentially leading to privilege escalation and code execution.

The Login with OTP plugin for WordPress is vulnerable to authentication bypass due to an incomplete fix for CVE-2024-11178, allowing unauthenticated attackers to brute-force OTP codes and gain administrative access.

Kirby CMS versions 5.3.0 through 5.4.0 are vulnerable to pre-authentication path traversal, allowing an attacker to include arbitrary PHP files with the filename `index.php`, potentially leading to sensitive information disclosure or malicious actions due to insufficient validation of the provided user ID during user lookup.

Kirby CMS is vulnerable to arbitrary method call via REST API search and collection query endpoints, allowing attackers to execute sensitive methods like password disclosure or privilege escalation, patched in versions 4.9.1 and 5.4.1.

A SQL injection vulnerability (CVE-2026-9584) exists in code-projects Project Management System 1.0 within the chk.php file of the Login component, allowing a remote attacker to execute arbitrary SQL commands.

A vulnerability in gnutls (CVE-2026-42013) allows a remote attacker to bypass certificate validation by providing an oversized Subject Alternative Name (SAN), causing the validation process to fall back to the Common Name (CN) field, potentially leading to spoofing or man-in-the-middle attacks.

CVE-2026-42012 describes a vulnerability in GnuTLS where a remote attacker can spoof legitimate services or intercept sensitive information by presenting a specially crafted certificate with URI or SRV SANs, causing the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN).

itsourcecode Student Transcript Processing System 1.0 is vulnerable to SQL injection via the studentId/cid parameter in the /admin/modules/student/trans.php file, allowing remote attackers to manipulate database queries.

IBM HTTP Server 8.5 and 9.0 is vulnerable to a denial of service (DoS) in configurations where an attacker possesses write access to server configuration files, as tracked by CVE-2026-8856.

IBM HTTP Server 8.5 and 9.0 are vulnerable to remote code execution and denial of service in configurations utilizing TLS mutual authentication (client authentication).

IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 are vulnerable to HTTP request smuggling due to inconsistent interpretation of HTTP requests, potentially leading to unauthorized access and data manipulation.

A SQL injection vulnerability (CVE-2026-9552) exists in Das Parking Management System 6.2.0 within the Search API Endpoint, allowing a remote attacker to execute arbitrary SQL commands by manipulating the 'Value' argument.

A stack-based buffer overflow vulnerability (CVE-2026-9481) exists in the formStats function of the /goform/formStats file in Edimax EW-7438RPn version 1.31, allowing a remote attacker to execute arbitrary code by manipulating the submit-url argument.

Edimax EW-7438RPn version 1.31 is vulnerable to a stack-based buffer overflow in the formLicence function of the /goform/formLicence file, allowing remote attackers to execute arbitrary code by manipulating the submit-url argument; a public exploit is available.

A SQL Injection vulnerability exists in itsourcecode Electronic Judging System version 1.0 in the /admin/edit_judge.php file. By manipulating the judge_id argument, an attacker could execute arbitrary SQL commands on the system. The vulnerability can be triggered remotely and has a public exploit available.

A SQL injection vulnerability (CVE-2026-9523) exists in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2, where manipulating the 'sort' argument in the '/SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree' file leads to remote code execution, and is publicly known and actively exploited.

A vulnerability in hemant6488 CodeIgniter-StudentManagementSystem allows remote attackers to perform improper access controls by manipulating the /index.php/students/addStudentView file, with a publicly available exploit and no vendor response.

A SQL injection vulnerability exists in the /success.php file of yashpokharna2555 StudentManagementSystem, allowing remote attackers to execute arbitrary SQL commands by manipulating the User argument.

Socusoft 3GP Photo Slideshow 8.05 contains a buffer overflow vulnerability (CVE-2018-25376) in the registration dialog, allowing local attackers to execute arbitrary code by overwriting the SEH chain.

Softneta MedDream PACS Server Premium 6.7.1.1 contains a directory traversal vulnerability, tracked as CVE-2018-25374, allowing unauthenticated attackers to read arbitrary files by manipulating the path parameter in requests to nocache.php.

AgataSoft Auto PingMaster 1.5 contains a stack-based buffer overflow vulnerability (CVE-2018-25360) in the Trace Route host name field, allowing local attackers to execute arbitrary code by triggering structured exception handling.

A stack-based buffer overflow vulnerability (CVE-2026-9459) exists in the formConnectionSetting function of /goform/formConnectionSetting in Edimax EW-7438RPn 1.31, allowing a remote attacker to execute arbitrary code by manipulating the max_Conn/timeOut arguments, with a public exploit available.

A SQL injection vulnerability (CVE-2026-9447) exists in SourceCodester Simple POS and Inventory System 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the 'Name' argument in the /user/search.php file.

A remote stack-based buffer overflow vulnerability (CVE-2026-9431) exists in the fromPptpUserAdd function of the /goform/PptpUserAdd file in Tenda F1202 firmware version 1.2.0.20(408), allowing unauthenticated attackers to potentially execute arbitrary code.

Totolink A8000RU version 7.1cu.643_b20200521 is vulnerable to remote OS command injection via manipulation of the Comment argument in the setIpQosRules function, allowing unauthenticated attackers to execute arbitrary commands on the device.

SIPp 3.6 and earlier contains a local buffer overflow vulnerability (CVE-2018-25356) in command-line argument handling, allowing local attackers to potentially crash the application or execute arbitrary code by supplying oversized input to the -3pcc, -i, or -log_file parameters.

Audiograbber 1.83 contains a local buffer overflow vulnerability (CVE-2018-25355) allowing attackers to execute arbitrary code by exploiting structured exception handling mechanisms through crafted input in the Interpret or Album fields.

Redaxo CMS Mediapool Addon version 5.5.1 and older contains an arbitrary file upload vulnerability (CVE-2018-25353) that allows authenticated users to bypass file extension blacklist restrictions, leading to arbitrary code execution.

WordPress Form Maker Plugin version 1.12.24 and below is vulnerable to SQL injection, allowing authenticated attackers to manipulate database queries through the FormMakerSQLMapping and generete_csv actions via crafted POST requests, potentially leading to data extraction, modification, or privilege escalation.

A buffer overflow vulnerability exists in 10-Strike Network Scanner 3.0, allowing attackers to bypass SafeSEH protections and execute arbitrary code by crafting a malicious payload in the host name or address field and triggering the vulnerability through the Trace route or System information functions.

A buffer overflow vulnerability (CVE-2026-9294) exists in the formWanTcpipSetup function of the /goform/formWanTcpipSetup file in Edimax BR-6428NS 1.10, which can be triggered by a remote attacker manipulating the pppUserName argument via a POST request, potentially leading to arbitrary code execution.

The WishList Member plugin for WordPress is vulnerable to privilege escalation (CVE-2026-6419) due to a missing capability and nonce check in the ajax_get_screen() function, allowing authenticated attackers with subscriber-level access to retrieve the plugin's REST API Secret Key and create administrator accounts, leading to complete site takeover.

Dell ECS versions 3.5 and 3.6 contain an improper access control vulnerability (CVE-2022-31231) in the Identity and Access Management (IAM) module, potentially allowing a remote unauthenticated attacker to gain unauthorized read access to data.

Dell PowerFlex Manager versions 4.6.2 and prior contains an open redirect vulnerability (CVE-2025-26483) that allows an unauthenticated attacker to redirect a targeted user to an arbitrary web URL, potentially enabling phishing attacks.

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, allowing an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.

A remote, anonymous attacker can exploit multiple vulnerabilities in Microsoft 365 Copilot to execute arbitrary program code and disclose confidential information.

A remote, anonymous attacker can exploit a vulnerability in NGINX Open Source and NGINX Plus to perform a denial-of-service attack and potentially execute arbitrary code.

CVE-2026-1502 is a critical vulnerability in Microsoft HTTP client proxy tunnel header validation, potentially allowing for CR/LF injection attacks.

Nimbus Manticore, an Iranian IRGC-affiliated threat actor, resurfaced during Operation Epic Fury, employing AppDomain Hijacking, SEO poisoning, and a new MiniFast backdoor while targeting the aviation and software sectors.

The Iranian APT group Screening Serpens targeted the tech and defense sectors in the U.S., Israel, and the UAE between February and April 2026, deploying six new RAT variants from the MiniUpdate and MiniJunk V2 malware families, using tailored social engineering lures and AppDomainManager hijacking.

A remote, unauthenticated attacker can exploit a cross-site scripting (XSS) vulnerability in the Royal Elementor Addons plugin for WordPress.

The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress versions up to 3.1.65 is vulnerable to an authorization bypass (CVE-2026-9011) that allows unauthenticated attackers to retrieve the full content of non-public Dittys by exploiting the ditty_init AJAX endpoint.

A remote, anonymous attacker can exploit a vulnerability in cPanel cPanel/WHM to perform an HTTP response header injection, enabling cross-site scripting (XSS), open redirect attacks, and cache or header manipulation.

A remote attacker can exploit multiple vulnerabilities in PHP to disclose information, cause a denial-of-service condition, perform a Server-Side Request Forgery (SSRF) attack, or achieve unknown impacts.

A remote, anonymous attacker can exploit a vulnerability in cPanel cPanel/WHM to potentially execute arbitrary code or cause a denial-of-service condition.

A memory exhaustion vulnerability exists in `@libp2p/gossipsub` due to unbounded subscription handling, allowing a single attacker to exhaust a Node.js heap by flooding unique topic subscriptions, leading to denial-of-service.

A vulnerability in Twig versions 3.15.0 to 3.26.0 (CVE-2026-46640) allows arbitrary PHP code execution via the `_self.(<string>)` macro-reference compilation, enabling attackers to inject and execute arbitrary PHP code by supplying malicious template source, bypassing the SandboxExtension.

The Fission `storagesvc` component exposes unauthenticated CRUD operations on the `/v1/archive` endpoint, allowing any workload within the same Kubernetes cluster to enumerate archive IDs, download archives, upload arbitrary content, and delete archives, leading to potential code and secret exposure and function disruption.

Trend Micro released a security advisory addressing vulnerabilities in Apex One (on-premise), Apex One as a service, and Trend Vision One Endpoint, prompting users to apply necessary updates to mitigate potential risks.

A GitHub employee's device was compromised via a malicious VS Code extension, leading to the theft of approximately 3,800 internal repositories by threat actor TeamPCP (UNC6780), who then offered the data for sale.

A CSRF-OOB-Injection vulnerability exists in SolarEdge Monitoring Platform's `/solaredge-web/p/initClient` endpoint due to improper validation of session parameters, allowing attackers to manipulate headers to initiate requests to attacker-controlled domains, potentially leading to session compromise and unauthorized system control.

A local exploit has been published for Lenovo LegionSpace 1.7.11.2, detailing an Unquoted Service Path vulnerability in the 'DAService', potentially leading to local privilege escalation.

Cockpit version 359 is vulnerable to remote code execution, and a public exploit is available on Exploit-DB, increasing the risk for unpatched systems.

A public exploit is available for CVE-2026-9082, a SQL injection vulnerability in Drupal Core affecting PostgreSQL-backed sites running versions 8.0 through 11.3.9, allowing unauthenticated users to potentially achieve data exfiltration, privilege escalation, and remote code execution.

A remote, anonymous attacker can exploit multiple vulnerabilities in Internet Systems Consortium BIND to trigger memory corruption or cause a denial-of-service condition.

Multiple vulnerabilities, including a critical authentication bypass (CVE-2026-42097), affect Sparx Systems Pro Cloud Server and Enterprise Architect, potentially leading to remote code execution and data compromise; active exploitation is likely given available PoCs.

CVE-2026-47783 is a timing side channel vulnerability in memcached before 1.6.42, affecting SASL password database authentication due to premature loop exit upon finding a valid username, potentially leading to information disclosure.

Multiple vulnerabilities exist in Trend Micro products, including TrendAI Apex One, potentially allowing authenticated attackers to tamper with files, distribute malicious code, or escalate privileges; CVE-2026-34926 is being actively exploited.

The Webworm APT group is using updated tactics, techniques, and procedures, including new backdoors using Discord and Microsoft Graph API for command and control, custom proxy tools, and GitHub for malware staging, shifting focus to European governmental organizations.

The TeamPCP hacking group released the source code of the Shai-Hulud worm impacting npm and PyPI, prompting European governments to seek secure messaging alternatives due to phishing risks and data sovereignty concerns, while historical analysis reveals the Fast16 malware targeted Iran's nuclear program by tampering with simulation software.

This brief summarizes indicators of compromise (IOCs) from a Maltrail feed update on 2026-05-20, detailing network activity associated with APT Kimsuky, Lummac2, MagentoCore, and FakeApp campaigns, providing actionable intelligence for detection and response.

Threat actors exploited CVE-2024-12802, a vulnerability in SonicWall Gen6 SSL-VPN appliances, to bypass multi-factor authentication (MFA) after brute-forcing VPN credentials, leading to the deployment of ransomware-related tools.

Ransomware-as-a-service (RaaS) attacks leverage affiliates for initial access, persistence, and exfiltration, using varied techniques like compromised RDP, vulnerable VPNs, and rogue RMM tools, impacting multiple organizations in a single campaign.

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability (CVE-2026-9139) in the embedded web configuration interface, allowing unauthenticated attackers with network access to recover administrative credentials directly from client-side JavaScript and gain full administrative access to the device.

PgBouncer versions prior to 1.25.2 are vulnerable to an integer overflow (CVE-2026-6664), enabling unauthenticated remote attackers to trigger a denial-of-service via a crafted SCRAM authentication packet, with active exploitation reported.

CVE-2026-20199 - A vulnerability in the SSL certificate handling of Cisco ThousandEyes Virtual Appliance could allow an authenticated, remote attacker to execute commands on the underlying operating system as the root user.

FreePBX released security advisories addressing authenticated SQL injection and local file inclusion vulnerabilities in the Security-Reporting cdr and dashboard modules for FreePBX 16 and 17.

Multiple vulnerabilities in Mozilla Firefox ESR, Firefox, Firefox for iOS, and Thunderbird products can lead to arbitrary code execution, privilege escalation, and remote denial of service.

A use-after-free vulnerability in the DNS-over-HTTPS implementation of BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1 could allow an attacker to cause a denial of service or potentially execute arbitrary code.

Multiple vulnerabilities in Mozilla Firefox, Firefox ESR, and Thunderbird could allow a remote attacker to execute arbitrary code, disclose information, bypass security restrictions, deceive the user, escalate privileges, or cause a denial-of-service condition.

Microsoft disrupted a malware-signing-as-a-service (MSaaS) operation run by Fox Tempest that abused the Azure Artifact Signing service to generate fraudulent code-signing certificates, enabling malware to bypass security controls.

An unauthenticated remote peer can exhaust the disk storage of any `@libp2p/kad-dht` node running in server mode by sending an unbounded stream of `PUT_VALUE` messages with crafted keys to bypass validation and cause disk exhaustion.

TeamPCP compromised the PyPi package durabletask (versions 1.4.1, 1.4.2, and 1.4.3), stealing credentials for AWS, Azure, GCP, K8s, and Vault, brute-forcing passwords from password managers, and exfiltrating shell history before propagating to up to 5 targets via AWS SSM and Kubernetes.

The Shai-Hulud campaign is back and targets maintainer accounts to publish malicious code directly into the software supply chain via npm, recently hitting the Ant Design (AntV) ecosystem and potentially exposing downstream developers to credential theft and remote code execution.

The AVX2 implementation of ML-DSA verification in libcrux-ml-dsa mishandles an edge case in the `use_hint` function, potentially allowing an attacker to craft an invalid signature that is accepted by the verifier if the AVX2 implementation is used.

Composer leaks GitHub OAuth tokens in GitHub Actions logs if they do not match the expected format due to a validation regex, leading to potential unauthorized access.

Microsoft disrupted Fox Tempest, a threat actor running a malware-signing-as-a-service (MSaaS) that abuses Microsoft Artifact Signing to generate short-lived code-signing certificates used to sign malware disguised as legitimate software, delivering ransomware and various information stealers to victims across multiple sectors.

Argo CD is vulnerable to stored cross-site scripting (XSS) via manipulated application link annotations, allowing a low-privileged user to execute arbitrary JavaScript in a higher-privileged user's session, leading to privilege escalation.

The `pullArtifact` methods in `Registry` and `OCILayout` use the `org.opencontainers.image.title` annotation from a pulled manifest as a filename, resolving it against the caller supplied output directory without normalization or a containment check, allowing a manifest publisher to write blobs outside of the intended target directory.

Funnel Builder for WooCommerce Checkout versions prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and inject malicious JavaScript, impacting checkout page visitors.

HestiaCP versions 1.9.0 through 1.9.4 are vulnerable to unauthenticated remote code execution due to a deserialization flaw in the web terminal component (CVE-2026-43633), stemming from a session format mismatch between PHP and Node.js, allowing attackers to inject malicious data via HTTP headers.

An unpatched pre-authentication remote code execution (RCE) vulnerability, tracked as CVE-2026-45829 and referred to as ChromaToast, in ChromaDB versions 1.0.0 and later allows remote, unauthenticated attackers to execute arbitrary code and leak sensitive information, potentially leading to a server takeover.

CVE-2026-7571 describes a vulnerability in Keycloak where a low-privilege user can bypass security controls intended to disable the implicit flow in OpenID Connect (OIDC) clients by manipulating client data during session restart, potentially exposing access tokens.

A vulnerability in Unbound allows an attacker from an adjacent network to manipulate the cache, potentially leading to domain hijacking.

An authenticated or anonymous attacker can exploit multiple vulnerabilities in Red Hat Enterprise Linux regarding Valkey to manipulate files or cause a denial-of-service condition.

Multiple vulnerabilities in Docker allow a local attacker to execute arbitrary code with administrator privileges, cause a denial-of-service condition, or manipulate data.

A type confusion vulnerability exists in Apple Safari, as detailed in CVE-2024-23222. A public exploit demonstrates successful exploitation of the vulnerability on iOS 16.4.1, leading to a sandbox escape, which has been patched in iOS 17.3 and macOS 14.3.

An authenticated remote attacker can exploit a vulnerability in BigBlueButton to conduct a Cross-Site Scripting (XSS) attack.

A remote attacker can exploit a vulnerability in libsndfile to execute arbitrary code or cause a denial of service, potentially leading to complete system compromise or service disruption.

TeamPCP is conducting a multi-ecosystem supply chain attack targeting the open-source ecosystem, specifically NPM packages, GitHub Actions, and VSCode extensions, to harvest credentials, exfiltrate sensitive data, and establish persistent access on infected systems via a Python-based backdoor.

The Piotnet Addons for Elementor Pro plugin for WordPress, versions up to 7.1.70, is vulnerable to unauthenticated arbitrary file upload due to insufficient file type validation in the 'pafe_ajax_form_builder' function, potentially leading to remote code execution.

A denial-of-service vulnerability, identified as CVE-2026-37458, exists in the MP_REACH_NLRI component of FRRouting versions stable/10.0 to stable/10.6, where authenticated attackers can trigger a DoS by sending a crafted UPDATE message due to missing input validation.

CVE-2026-31704 is a vulnerability in ksmbd related to the use of check_add_overflow() to prevent a u16 DACL size overflow, potentially leading to denial of service or privilege escalation.

Storm-2949 compromised cloud identities through social engineering and abused the Self-Service Password Reset (SSPR) process to bypass MFA and gain persistent access, enabling lateral movement and data exfiltration from Microsoft 365 and Azure environments.

SOGo 5.12.7 is vulnerable to SQL injection in the Access Control List management functionality, allowing authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint, which can be exfiltrated via the /acls API.

Malformed MongoDB wire messages can trigger uncaught panics in the OpenTelemetry eBPF Instrumentation agent's MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service.

A tampering vulnerability exists in .NET 8.0, .NET 9.0, and .NET 10.0 due to improper handling of specially crafted files, potentially allowing an attacker to write arbitrary files and directories to specific locations on a vulnerable system with limited control over the destination.

DumbAssets version 1.0.11 is vulnerable to a path traversal vulnerability in the POST /api/delete-file endpoint, allowing unauthenticated attackers to delete arbitrary files, including critical files like server.js or package.json, resulting in denial of service.

A race condition in Docker's `docker cp` command allows a malicious container to redirect a bind mount target to an arbitrary host path by manipulating symlinks during the setup of temporary filesystem views, potentially overwriting host files or causing denial of service.

A SQL injection vulnerability exists in Postgrex versions 0.16.0 to before 0.22.2 within the `Postgrex.Notifications.listen/3` function allowing attackers to execute arbitrary SQL commands on the notifications connection by manipulating the channel name.

A vulnerability exists in Docker where a malicious container image can execute arbitrary code with host root privileges by exploiting the decompression of compressed archives uploaded via the `PUT /containers/{id}/archive` endpoint, tracked as CVE-2026-41567.

Multiple Livewire components in the Shopper framework admin panel allowed authenticated low-privilege users to bypass authorization and mutate data without the required permissions, leading to potential privilege escalation and cross-site scripting.

A stored XSS vulnerability (CVE-2026-45270) exists in the Pages module of CI4MS due to improper sanitization of page content, allowing an attacker with `pages.create` permissions to inject malicious code and escalate privileges if an administrator views the page.

Dify version 1.14.1 and prior contain a path traversal vulnerability (CVE-2026-41948) that allows authenticated users to manipulate requests to the Plugin Daemon's internal REST API and access internal endpoints by traversing out of their authorized tenant path.

Kaspersky's Q1 2026 report highlights trends in malware targeting Windows, macOS, and IoT devices, including the exploitation of CVE-2026-20131 in Cisco Secure FMC firewalls and the rise of new ransomware variants and mining activities.

Multiple vulnerabilities in Webmin allow an attacker to bypass security measures and execute arbitrary code with administrator privileges, leading to potential system compromise.

Detects successful Microsoft Entra ID sign-ins using the OAuth device code authentication protocol with the Microsoft Authentication Broker client requesting first-party Office API resources, indicative of adversary-in-the-middle (AiTM) phishing attacks such as Tycoon 2FA.

A remote buffer overflow vulnerability exists in the UpdateWanParams function of the /goform/aspForm file in H3C Magic B3 devices up to version 100R002, which can be exploited by manipulating the 'param' argument, leading to potential remote code execution.

A vulnerability in Metasoft MetaCRM up to version 6.4.0 Beta06 allows for unrestricted file upload due to manipulation of the 'File' argument in the /common/jsp/upload3.jsp file, potentially leading to arbitrary code execution.

adenhq hive versions up to 0.11.0 are vulnerable to path traversal via manipulation of the _read_events_tail function in core/framework/server/routes_sessions.py, allowing a remote attacker to potentially access sensitive files.

A remote path traversal vulnerability exists in fishaudio Bert-VITS2's Gradio Interface, allowing attackers to manipulate the data_dir argument in the generate_config function of webui_preprocess.py.

WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability (CVE-2018-25335) that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint, leading to potential code execution.

WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability (CVE-2021-47975) that allows unauthenticated attackers to inject malicious scripts through the fieldtitle parameter via a POST request to the jslm_fieldordering page, resulting in arbitrary JavaScript execution when administrators view the field ordering interface.

Macaron Notes 5.5 is vulnerable to a denial-of-service condition (CVE-2021-47970) due to its handling of excessively long character strings in notes, leading to application crashes.

Color Notes 1.4 is vulnerable to a denial-of-service attack (CVE-2021-47969) where pasting excessively long character strings into note fields can crash the application, achieved by generating and pasting a 350,000-character payload twice into a new note.

Home Assistant Community Store (HACS) 1.10.0 is vulnerable to a path traversal, allowing unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint, leading to potential account takeover.

Kite 4.2.0.1 U1 contains an unquoted service path vulnerability (CVE-2020-37247) in the KiteService Windows service that allows local attackers to escalate privileges by placing a malicious executable in a directory due to the unquoted service path.

Supsystic Pricing Table plugin version 1.8.7 contains an SQL injection vulnerability via the 'sidx' GET parameter, enabling unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl action, as well as stored XSS vulnerabilities.

Syncplify.me Server! version 5.0.37 contains an unquoted service path vulnerability (CVE-2020-37230) in the SMWebRestServicev5 service, allowing a local attacker to escalate privileges by placing a malicious executable in the service path.

HS Brand Logo Slider version 2.1 contains an unrestricted file upload vulnerability (CVE-2020-37227) allowing authenticated users to bypass client-side validation and upload arbitrary files, leading to remote code execution by intercepting upload requests and renaming files to executable extensions.

The Russian hacker group Secret Blizzard has evolved the Kazuar backdoor into a modular P2P botnet designed for persistence, stealth, and data collection, utilizing kernel, bridge, and worker modules for command and control and data exfiltration.

CVE-2026-44662 is a critical heap buffer overflow vulnerability in rust-openssl during encryption with AES key-wrap-with-padding, potentially leading to arbitrary code execution or denial of service.

A public exploit, rwsploit, has been released targeting CVE-2012-3152 and CVE-2012-3153 in Oracle Reports Server versions below 11g, enabling unauthenticated file read, SSRF, and JSP shell upload.

The WordPress Plugin WPGraphQL version 1.3.5 is vulnerable to a denial-of-service attack where unauthenticated attackers can exhaust server resources by sending batched GraphQL queries with duplicated fields, potentially causing server out-of-memory conditions and MySQL connection errors.

WordPress WP Super Edit plugin version 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component, allowing unauthenticated attackers to upload arbitrary files leading to remote code execution and complete system compromise.

UNC6671, operating under the "BlackFile" brand, conducts a sophisticated extortion campaign targeting organizations through voice phishing (vishing) and single sign-on (SSO) compromise, using adversary-in-the-middle (AiTM) techniques to bypass MFA and exfiltrate sensitive corporate data.

A remote code execution vulnerability exists in Remote Sunrise Helper for Windows version 2026.14, which can be exploited without authentication, as demonstrated by a public exploit published on Exploit-DB.

Multiple vulnerabilities in PostgreSQL versions 14.x, 15.x, 16.x, 17.x and 18.x could allow for arbitrary code execution, remote denial of service, and data breach, potentially leading to complete system compromise.

A remote, anonymous attacker can exploit a vulnerability in HCL BigFix to manipulate data and conduct a cross-site scripting attack.

Multiple vulnerabilities in PostgreSQL could be exploited by an attacker to execute arbitrary code, conduct a denial of service attack, disclose information, manipulate files, conduct a SQL injection attack, and bypass security measures.

OpenAI was impacted by the TanStack supply chain attack, resulting in two employee devices being compromised and the exfiltration of credential material from internal source code repositories.

Multiple vulnerabilities in cPanel/WHM allow an attacker to escalate privileges, perform SQL injection with root privileges, manipulate data, or disclose sensitive information.

This brief summarizes a Maltrail IOC feed update on 2026-05-15, containing indicators associated with APT_Kimsuky, CyberstrikeAI, Android_Joker, Sectoprat, EK_Landupdate808, and MagentoCore campaigns involving suspicious domains and IP addresses.

Multiple vulnerabilities in the Palo Alto Networks GlobalProtect App could allow an attacker to gain administrator privileges, execute arbitrary code with administrator privileges, disclose sensitive information, manipulate data, and cause a denial-of-service condition.

Multiple vulnerabilities in F5 BIG-IP products could allow an attacker to execute arbitrary code, gain elevated privileges, bypass security measures, manipulate or disclose data, or cause a denial-of-service condition.

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to privilege escalation (CVE-2026-6228) in versions up to and including 3.28.36, allowing unauthenticated attackers to gain administrator privileges.

A remote, anonymous attacker can exploit a vulnerability in Apache Camel to execute arbitrary program code with the privileges of the service.

The FrostyNeighbor threat actor is targeting Ukrainian governmental organizations with spearphishing emails containing malicious PDFs that deliver a JavaScript dropper (PicassoLoader) and ultimately a Cobalt Strike beacon.

The `utcp-cli` package is vulnerable to command injection. The `_substitute_utcp_args` method in `cli_communication_protocol.py` inserts user-controlled values directly into shell command strings without sanitization, allowing an attacker to inject arbitrary shell commands, resulting in full Remote Code Execution. The vulnerability is fixed in version 1.1.2.

Open WebUI versions 0.9.4 and earlier are vulnerable to Server-Side Request Forgery (SSRF) due to a parsing difference between the urlparse and requests libraries in the `validate_url` function, allowing attackers to bypass URL validation and make requests to internal IP addresses.

FlowiseAI versions 3.1.1 and earlier are vulnerable to a privilege escalation due to missing authentication and permission checks on the OpenAI Assistants Vector Store CRUD endpoints, allowing any authenticated user to create, modify, upload files to, and delete vector stores and files, regardless of their assigned permissions.

FlowiseAI is vulnerable to a mass assignment vulnerability in the Evaluator controller/service, where an attacker can manipulate the `workspaceId` during evaluator creation or updates, leading to cross-workspace data takeover and IDOR.

A vulnerability exists in Universal Robots Polyscope 5 versions prior to 5.25.1, specifically CVE-2026-8153, that could allow an unauthenticated attacker to craft commands that execute code on the robot's OS, leading to full system compromise.

CVE-2026-23998 describes a vulnerability in Fleet's Windows MDM management endpoint that allows requests to be processed without proper client certificate validation, potentially allowing an attacker to impersonate a device and retrieve sensitive configuration data.

A vulnerability in Fleet versions prior to 4.82.0 allows authentication tokens from any Azure AD tenant to be accepted, enabling unauthorized device enrollment and MDM API access due to improper JWT signature validation, tracked as CVE-2026-24899.

Kimsuky, a North Korean APT group, is actively targeting organizations, primarily in South Korea, with evolving tactics and tools, leveraging spear-phishing emails and messenger contacts to deploy malware such as PebbleDash and AppleSeed for establishing backdoors and stealing information.

CVE-2026-2347 describes an authorization bypass vulnerability through a user-controlled key in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website before version 4.5.001, which could lead to session hijacking.

The InfusedWoo Pro plugin for WordPress is vulnerable to arbitrary file read in versions up to 5.1.2, allowing unauthenticated attackers to make web requests to arbitrary locations, potentially querying and modifying information from internal services.

Threat actors are increasingly using device code phishing, often via Phishing-as-a-Service platforms, to compromise user accounts by abusing the OAuth 2.0 device authorization grant flow and capturing authentication tokens, enabling account takeover, data theft, and business email compromise.

The Fluent Forms WordPress plugin through 6.2.0 is vulnerable to Insecure Direct Object Reference (IDOR), allowing authenticated users with manager-level access or higher to bypass form-level access controls, export arbitrary database tables, and enumerate table names via error messages, as tracked by CVE-2026-5395.

The Career Section plugin for WordPress is vulnerable to arbitrary file upload in versions up to 1.7 due to missing file type validation in the CV upload handler, potentially leading to remote code execution.

The Fluent Forms plugin for WordPress is vulnerable to authorization bypass via a user-controlled key (CVE-2026-5396), allowing authenticated attackers with restricted access to specific forms to manipulate submissions of unauthorized forms by spoofing the 'form_id' parameter.

CVE-2026-41956 describes a vulnerability in F5 Networks' Traffic Management Microkernel (TMM) where undisclosed requests can cause TMM termination when a classification profile is configured on a UDP virtual server, leading to a denial-of-service condition.

NGINX Plus and NGINX Open Source are vulnerable to a heap buffer overflow (CVE-2026-42945) due to crafted HTTP requests when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed PCRE capture with a replacement string that includes a question mark, potentially leading to denial of service or code execution.

CVE-2026-42920 describes a vulnerability where undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate when a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server.

CVE-2026-41227 describes a vulnerability in an F5 Networks product where undisclosed traffic on an HTTP/2 virtual server with Layer 7 DoS Protection enabled can lead to increased memory consumption and termination of the Traffic Management Microkernel (TMM) process.

CVE-2026-40698 allows a highly privileged, authenticated attacker with Resource Administrator privileges in F5 BIG-IP and BIG-IQ systems to create SNMP configuration objects via iControl REST or TMOS shell (tmsh), resulting in privilege escalation.

CVE-2026-40629 describes a vulnerability in F5 Networks products where, when SSL profiles are configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections, leading to a denial of service.

CVE-2026-20916 describes a vulnerability in F5 BIG-IQ where an authenticated user with low privileges can create or modify arbitrary files via an undisclosed iControl REST endpoint, potentially leading to privilege escalation or system compromise.

Kuicms Php EE 2.0 is vulnerable to persistent cross-site scripting (CVE-2020-37222), allowing unauthenticated attackers to inject malicious scripts via the bbs reply endpoint, leading to arbitrary script execution in users' browsers.

CVE-2026-0264 is a heap-based buffer overflow vulnerability in Palo Alto Networks PAN-OS DNS proxy and DNS server features, allowing an unauthenticated attacker with network access to cause denial of service or potentially execute arbitrary code by sending crafted network traffic.

A SQL injection vulnerability in Trust Protection Foundation allows an authenticated attacker to execute arbitrary SQL commands against the product database, potentially leading to sensitive data exposure, data modification, and privilege escalation.

CVE-2026-0241 describes multiple incorrect authorization vulnerabilities in Palo Alto Networks Trust Protection Foundation that allow attackers to bypass access controls and perform unauthorized actions on restricted resources.

CVE-2026-0238 is an improper input validation vulnerability in Palo Alto Networks Broker VM that allows an authenticated administrator to inject arbitrary content into certain fields, affecting versions 30.0 prior to 30.0.24.

The JoomSport plugin for WordPress is vulnerable to time-based blind SQL Injection (CVE-2026-6929) via the 'sortf' parameter in versions up to 5.7.7, allowing unauthenticated attackers to extract sensitive information from the database.

SiYuan's Bazaar marketplace is vulnerable to stored cross-site scripting (XSS) via unescaped package metadata, leading to arbitrary OS command execution in the desktop Electron client.

A critical vulnerability exists in Exim Internet Mailer versions 4.97 to 4.99.2, requiring users and administrators to apply necessary updates.

A new local privilege escalation vulnerability in the Linux kernel's XFRM ESP-in-TCP subsystem, named "Fragnesia," allows unprivileged local attackers to modify read-only file contents in the kernel page cache and achieve root privileges through a deterministic page-cache corruption.

A remote, authenticated attacker can exploit a vulnerability in Kyverno to perform a cross-site scripting attack.

A remote, authenticated attacker can exploit a vulnerability in Fortinet FortiAnalyzer and FortiManager to perform a denial-of-service attack, disrupting normal operations.

A remote, authenticated attacker can exploit a vulnerability in Microsoft SQL Server 2017, 2019, 2016 and 2022 to execute arbitrary code and gain administrator privileges.

Klever-Go's MultiDataInterceptor is vulnerable to a remote denial-of-service (DoS) attack. By sending a crafted compressed P2P payload, an unauthenticated attacker can trigger excessive memory allocation on the receiving node, leading to an out-of-memory (OOM) condition and potentially disrupting chain liveness.

Heym before 0.0.21 is vulnerable to a sandbox escape (CVE-2026-45227) in the custom Python tool executor, allowing authenticated workflow authors to bypass restrictions and execute arbitrary host commands as the backend service user.

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability (CVE-2026-34645) that could allow an attacker to bypass security measures and gain unauthorized write access without user interaction.

Multiple vulnerabilities in Fortinet's FortiAuthenticator and FortiSandbox products could lead to remote code execution, potentially allowing attackers to install programs, modify data, or create new accounts.

SPIP versions prior to 4.4.14 contain a remote code execution vulnerability (CVE-2026-8429) in the private space, allowing attackers to execute arbitrary code in the context of the web server, bypassing SPIP security screen protections.

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are vulnerable to deserialization of untrusted data, potentially leading to arbitrary code execution if a user interacts with a malicious URL or compromised webpage.

The rule identifies the use of Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence by detecting registry changes made by WmiPrvSe.exe in specific registry paths.

CVE-2026-41102 is an improper access control vulnerability in Microsoft Office PowerPoint that allows an authorized attacker to perform spoofing locally.

CVE-2026-40419 is a use-after-free vulnerability in Microsoft Office that allows an authenticated, local attacker to elevate privileges.

CVE-2026-40415 is a use-after-free vulnerability in Windows TCP/IP that allows an unauthorized attacker to execute code over a network.

CVE-2026-40413 is a null pointer dereference vulnerability in Windows TCP/IP that allows an unauthenticated attacker on an adjacent network to cause a denial-of-service condition.

CVE-2026-40401 is a null pointer dereference vulnerability in Windows TCP/IP that allows a local, unauthorized attacker to cause a denial of service.

CVE-2026-42898 is a code injection vulnerability in Microsoft Dynamics 365 (on-premises) that allows an authorized attacker to execute arbitrary code over a network.

CVE-2026-41096 is a critical heap-based buffer overflow vulnerability in Microsoft Windows DNS that allows an unauthenticated attacker to achieve remote code execution over a network.

CVE-2026-41089 is a stack-based buffer overflow vulnerability in Windows Netlogon that allows an unauthorized attacker to execute arbitrary code over a network.

CVE-2026-40402 is a use-after-free vulnerability in Windows Hyper-V, enabling an unauthorized local attacker to escalate privileges.

Detection of suspicious ImagePath values written to the registry, indicating potential persistence or privilege escalation via abnormal service creation involving command interpreters or named pipes.