Posts
Public PoC Drops for Critical libssh2 Heap Overflow β curl, Git, and PHP All Carry the Flaw
A public PoC was released June 29 for CVE-2026-55200, a CVSS 9.2 heap overflow in libssh2 β€ 1.11.1 that lets a malicious SSH server execute code on any connecting client. curl, Git, PHP, and a long tail of appliances all link the library.
Ubiquiti UniFi OS Server Triple-CVE Chain Enables Unauthenticated Root RCE
Three max-severity CVEs (2026-34908/09/10) in UniFi OS Server chain from an Nginx auth bypass to root command injection β CISA added all three to KEV on June 23 amid Mirai/Gaafgyt botnet exploitation.
Squidbleed: 29-Year-Old Heap Over-Read in Squid Proxy Leaks Cleartext HTTP Traffic (CVE-2026-47729)
A Heartbleed-style heap buffer over-read in Squid's FTP gateway, tracing to a 1997 commit, lets trusted proxy users drain other users' cleartext HTTP requests including credentials, cookies, and session tokens.
CVE-2026-12569: PTC Windchill/FlexPLM Deserialization RCE Exploited in Wild, CISA Deadline Today
A critical unauthenticated deserialization RCE in PTC Windchill and FlexPLM (CVE-2026-12569, CVSS 9.3) is being actively exploited with JSP web shells; CISA federal patch deadline is today.
DirtyClone: Linux Kernel LPE via Cloned sk_buff Gives Any Local User Root (CVE-2026-43503)
JFrog releases a working exploit for DirtyClone, a Linux kernel socket-buffer cloning flaw that silently rewrites in-memory setuid binaries and grants rootβwith container escape potential on cloud and Kubernetes hosts.
Linux Kernel CVE-2026-46331: Pedit COW Traffic-Control Bug Delivers Root Shell, Ubuntu Still Unpatched
A weaponized PoC for CVE-2026-46331 (Pedit COW) corrupts the kernel page cache via act_pedit to drop a root shell; Ubuntu 18.04β26.04 remain unpatched.
Arista EOS CVE-2026-7473: Tunnel Decap Flaw Bypasses Segmentation β and Arista Won't Patch It
CVE-2026-7473 lets an unauthenticated attacker push arbitrary tunneled traffic through Arista data-center switches that decapsulate it without checking the protocol. Exploited in the wild, on CISA's KEV list with a deadline of today β and Arista has confirmed no patch is coming.
AryStinger Turns 4,300 End-of-Life Routers Into a Reconnaissance Proxy Network
QiAnXin XLab's AryStinger has hijacked 4,300+ legacy Realtek RTL819X routers β mostly D-Link DIR-850L β into a pre-intrusion recon and proxy mesh using decade-old CVEs.
OptinMonster CDN Supply-Chain Attack: Tampered SDK Backdoors WordPress Admins
Attackers stole an Awesome Motive CDN key and laced the OptinMonster, TrustPulse, and PushEngage SDKs with code that creates rogue admins and plants a web shell β on up to 1.2M fully-patched sites.
Klue OAuth Breach Feeds 'Icarus' Salesforce Data-Theft Spree
A dormant legacy credential at market-intelligence vendor Klue let the new Icarus extortion crew steal customer OAuth tokens and bulk-export Salesforce CRM data from Huntress, Recorded Future, Tanium, Jamf, and more.
Gravity SMTP CVE-2026-4020: Unauthenticated Flaw Leaks Cloud Email API Keys Amid Mass Exploitation
Attackers are mass-exploiting CVE-2026-4020 in the Gravity SMTP WordPress plugin to dump site config and third-party email provider API keys. Patch to 2.1.5 and rotate every key now.
A Zero-Length Compare and 27 Years: OpenBSD's PAP Authentication Bypass (CVE-2026-55706)
CVE-2026-55706 is a 27-year-old authentication bypass in OpenBSD's sppp(4) PAP handler. An attacker-controlled compare length means empty credentials produce a PAP_ACK β and an oversized one leaks kernel heap. Full details and a working PoC are public.
Two Critical NGINX Flaws Put HTTP/3 and gRPC Proxying One Bug Away From Unauthenticated RCE
F5 patched CVE-2026-42530 and CVE-2026-42055, two CVSS 9.2 unauthenticated memory-corruption bugs in NGINX's HTTP/3 and HTTP/2 paths. Both reach RCE where ASLR can be bypassed, and both touch NGINX Ingress Controller and Gateway Fabric.
FortiBleed: Cracked Admin Credentials Leak for 73,932 Internet-Facing FortiGate Firewalls
A Russian-speaking crew cracked weak legacy FortiOS password hashes to harvest working admin and SSL VPN credentials for 73,932 FortiGate firewalls β roughly half the internet-facing fleet across 194 countries. Assume compromise and rotate now.
LiteSpeed cPanel Plugin CVE-2026-54420: A Symlink Trick That Escapes CageFS for Root
An actively-exploited symlink flaw in LiteSpeed's user-end cPanel plugin lets any tenant with FTP or web-shell access break out of CageFS and become root. CISA's federal patch deadline is today.
Pickle in the Middle: Vertex AI SDK Bucket-Squatting Bug Enabled Cross-Tenant RCE
Unit 42's 'Pickle in the Middle' shows how a predictable staging-bucket name in the Vertex AI Python SDK let an attacker hijack model uploads and run code cross-tenant. Patched in google-cloud-aiplatform 1.148.0.
Mastra npm Scope Hijacked: 144 AI-Framework Packages Backdoored with the easy-day-js Stealer
An attacker hijacked a former contributor's npm account to republish ~144 @mastra packages β including @mastra/core (918K weekly downloads) β each pulling in easy-day-js, a dayjs typosquat that drops a cross-platform crypto/infostealer at install time.
RoguePlanet Gets a CVE: Microsoft Confirms Patch in Progress for Defender SYSTEM Race Condition (CVE-2026-50656)
One week after a public PoC dropped during Patch Tuesday, Microsoft has assigned CVE-2026-50656 to RoguePlanet β a Defender Malware Protection Engine race condition that hands SYSTEM on fully patched Windows 10 and 11 β and confirmed a fix is in flight. No patch yet.
Velvet Ant's Operation Highland: A China-Nexus APT Backdoored the Linux Auth Stack for a Decade
Sygnia's Operation Highland report details how the China-nexus group Velvet Ant hid in an isolated network for nearly a decade by backdooring pam_unix.so and OpenSSH binaries β no exploit, no dropped malware, no anomalous logs.
Ivanti Sentry CVE-2026-10520: Unauthenticated Root RCE via handleMessage, Now in CISA KEV
A CVSS 10.0 OS command injection in Ivanti Sentry's unauthenticated /mics/api/v2/sentry/mics-config/handleMessage endpoint yields remote code execution as root. watchTowr published a PoC on June 10, CISA added it to KEV on June 11 with a June 14 deadline, and exploitation has followed.