Deserialization
CVE-2026-12569: PTC Windchill/FlexPLM Deserialization RCE Exploited in Wild, CISA Deadline Today
A critical unauthenticated deserialization RCE in PTC Windchill and FlexPLM (CVE-2026-12569, CVSS 9.3) is being actively exploited with JSP web shells; CISA federal patch deadline is today.
Jenkins CVE-2026-53435: config.xml Deserialization RCE Exploited Five Days After Disclosure
CVE-2026-53435 (CVSS 9.0) is an unsafe-deserialization RCE in Jenkins' config.xml handling. Disclosed June 10, a public PoC is now driving in-the-wild exploitation against internet-exposed CI/CD servers. Patch to weekly 2.568 or LTS 2.555.3.
Anatomy of the Interlock Campaign: How a ClickFix Gang Learned to Burn Firewall Zero-Days
For a year, the surest way to get hit by Interlock was to paste a command into your own Run dialog. On January 26, 2026, the group stopped waiting for users to make mistakes and started exploiting a pre-auth, root-level Cisco firewall zero-day instead. The same crew now runs both ends of the sophistication ladder — and that should change how you model initial access.
Mirasvit Cache Warmer CVE-2026-45247: One Cookie Pops Any Magento Store, No Auth Required
CISA added CVE-2026-45247 to KEV after Imperva confirmed active exploitation. A single crafted CacheWarmer cookie gives unauthenticated RCE on Magento and Adobe Commerce stores running Mirasvit Full Page Cache Warmer below 1.11.12.
Oracle WebLogic CVE-2024-21182 Hits CISA KEV: Two-Year-Old T3 Bug Now Under Active Exploitation
CISA added the unauthenticated Oracle WebLogic T3/IIOP flaw CVE-2024-21182 to its Known Exploited Vulnerabilities catalog on June 1. The patch has shipped for two years — this is a story about exposed, unpatched middleware.
SSRF to the Model, Model to the Cloud: The Inference Layer Is 2026's Softest Attack Surface
Model gateways and inference servers are repeating two decades of solved web-security mistakes — default-open binds, pickle RCE, pre-auth SQLi, and SSRF straight into cloud credentials. A field guide to the AI control plane's softest links and how to harden them before the next 36-hour exploitation window.
SharePoint CVE-2026-45659: Site Member Permissions Are Enough to Pop the Farm
Microsoft patched CVE-2026-45659, an 8.8-severity SharePoint deserialization RCE that only requires Site Member permissions — the lowest tier any authenticated user can have.
Apache MINA Patches CVE-2026-42778 and CVE-2026-42779: Two Incomplete Fixes Land Back-to-Back as RCE
MINA 2.2.7 and 2.1.12 ship critical patches for two deserialization bypasses that each thread the needle through a previous incomplete fix — the third and fourth iterations of the same root bug stretching back to 2024.
CVE-2026-4681: CVSS 10.0 Deserialization RCE in PTC Windchill Has German Police Knocking on Doors
A maximum-severity deserialization flaw in PTC Windchill and FlexPLM (CVE-2026-4681, CVSS 10.0) prompted German federal police to physically visit companies and wake up sysadmins. No patch yet. Here's what you need to know.