SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 26ISSUE 11
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
A React-based phishing page with credential exfiltration via EmailJS
Published: 2026-03-13
Last Updated: 2026-03-13 07:20:58 UTC
by Jan Kopriva (Version: 1)
On Wednesday, a phishing message made its way into our handler inbox that contained a fairly typical low-quality lure, but turned out to be quite interesting in the end nonetheless. That is because the accompanying credential stealing web page was dynamically constructed using React and used a legitimate e-mail service for credential collection.
But before we get to the details, let’s take a quick look at the initial message. The e-mail pretended to be a notification about a list of files shared with us through the legitimate WeTransfer service.
I mentioned that the lure used in the message was of low-quality because, as you can see in the following image, the files in question were supposedly sent by someone using our own e-mail address…
Which would probably be at least a little suspicious to any recipient…
Read the full entry: https://isc.sans.edu/diary/A+Reactbased+phishing+page+with+credential+exfiltration+via+EmailJS/32794/
SmartApeSG campaign uses ClickFix page to push Remcos RAT
Published: 2026-03-14
Last Updated: 2026-03-14 01:19:49 UTC
by Brad Duncan (Version: 1)
Introduction
This diary describes a Remcos RAT infection that I generated in my lab on Thursday, 2026-03-11. This infection was from the SmartApeSG campaign that used a ClickFix-style fake CAPTCHA page.
My previous in-depth diary about a SmartApeSG (ZPHP, HANEYMANEY) was in November 2025, when I saw NetSupport Manager RAT. (https://isc.sans.edu/diary/SmartApeSG+campaign+uses+ClickFix+page+to+push+NetSupport+RAT/32474) Since then, I've fairly consistently seen what appears to be Remcos RAT from this campaign.
Finding SmartApeSG Activity
As previously noted, I find SmartApeSG indicators from the Monitor SG account on Mastodon, and I use URLscan to pivot on those indicators to find compromised websites with injected SmartApeSG script.
Details
Below is an image of HTML in a page from a legitimate but compromised website that shows the injected SmartApeSG script…
Read the full entry: https://isc.sans.edu/diary/SmartApeSG+campaign+uses+ClickFix+page+to+push+Remcos+RAT/32796/
IPv4 Mapped IPv6 Addresses
Published: 2026-03-17
Last Updated: 2026-03-17 11:36:48 UTC
by Johannes Ullrich (Version: 1)
Yesterday, in my diary about the scans for "/proxy/" URLs, I noted how attackers are using IPv4-mapped IPv6 addresses to possibly obfuscate their attack. These addresses are defined in RFC 4038 (https://datatracker.ietf.org/doc/html/rfc4038). These addresses are one of the many transition mechanisms used to retain some backward compatibility as IPv6 is deployed. Many modern applications use IPv6-only networking code. IPv4-mapped IPv6 addresses can be used to represent IPv4 addresses in these cases. IPv4-mapped IPv6 addresses are not used on the network, but instead, translated to IPv4 before a packet is sent.
To map an IPv4 address into IPv6, the prefix "::ffff:/96" is used. This leaves the last 32 bits to represent the IPv4 address. For example, "10.5.2.1" turns into "::ffff:0a05:0201". Many applications display the last 4 bytes in decimal format to make it easier to read. For example, you will see "::ffff:10.5.2.1".
If IPv4-mapped IPv6 addresses can be used depends on the particular application. Here are a few examples, but feel free to experiment yourself…
Read the full entry: https://isc.sans.edu/diary/IPv4+Mapped+IPv6+Addresses/32804/
OTHER INTERNET STORM CENTER ENTRIES
Scans for "adminer" (2026.03.18)
https://isc.sans.edu/diary/Scans+for+adminer/32808/
/proxy/ URL scans with IP addresses (2026.03.16)
https://isc.sans.edu/diary/proxy+URL+scans+with+IP+addresses/32800/
When your IoT Device Logs in as Admin, It?s too Late! [Guest Diary] (2026.03.11)
https://isc.sans.edu/diary/When+your+IoT+Device+Logs+in+as+Admin+Its+too+Late+Guest+Diary/32788/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2026-3909 - Chromium: Out of bounds write in Skia
Product: Google Chrome
CVSS Score: 0
** KEV since 2026-03-13 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3909
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3909
NVD References:
- https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html
- https://issues.chromium.org/issues/491421267
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3909
CVE-2026-3910 - Chromium: Inappropriate implementation in V8
Product: Google Chrome
CVSS Score: 0
** KEV since 2026-03-13 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3910
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3910
NVD References:
- https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html
- https://issues.chromium.org/issues/491410818
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3910
CVE-2026-3381 - Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib
Product: Compress::Raw::Zlib
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3381
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3381
CVE-2026-26030 - Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable
Product: Microsoft Semantic Kernel Python SDK
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26030
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26030
CVE-2025-11158 - Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, have a vulnerability that does not restrict Groovy scripts in new PRPT reports published by users, enabling insertion of arbitrary scripts and resulting in a RCE.
Product: Hitachi Vantara Pentaho Data Integration & Analytics
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11158
NVD References: https://support.pentaho.com/hc/en-us/articles/39975058295821--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Missing-Authorization-Versions-before-10-2-0-6-impacted-CVE-2025-11158
CVE-2026-27685 - SAP NetWeaver Enterprise Portal Administration is vulnerable to high impact attacks if a privileged user uploads untrusted content.
Product: SAP NetWeaver Enterprise Portal Administration
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27685
CVE-2026-30862 - Appsmith: Prior to version 1.96, a Critical Stored XSS vulnerability in the Table Widget allows for Full Administrative Account Takeover by exploiting the lack of HTML sanitization in the React component rendering pipeline.
Product: Appsmith
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30862
CVE-2026-30869 - SiYuan is vulnerable to a path traversal exploit in the /export endpoint pre-3.5.10, allowing attackers to read sensitive files and potentially gain administrative access or remote code execution capabilities.
Product: SiYuan
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30869
CVE-2026-30887, CVE-2026-30921, CVE-2026-30956, CVE-2026-30957, CVE-2026-32306 - Multiple vulnerabilities in OneUptime.
Product: Hackerbay Oneuptime
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30887
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30921
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30956
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30957
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32306
CVE-2025-40943 - Stored Cross-Site Scripting Vulnerability in SIMATIC S7-1500
Product: Siemens SIMATIC S7-1500
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40943
NVD References: https://cert-portal.siemens.com/productcert/html/ssa-452276.html
CVE-2025-41709 - An unauthenticated remote attacker can perform a command injection via Modbus-TCP or Modbus-RTU to gain read and write access on the affected device.
Product: Janitza UMG 96RM-E devices and Weidmueller devices Energy Meter 750-24 and Energy Meter 750-230
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41709
NVD References:
- https://certvde.com/en/advisories/VDE-2025-079/
- https://certvde.com/en/advisories/VDE-2025-096/
CVE-2025-56422 - A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the server.
Product: LimeSurvey
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56422
CVE-2025-69614 & CVE-2025-69615 - Vulnerabilities in Deutsche Telekom AG Telekom Account Management Portal.
Product: Deutsche Telekom AG Telekom Account Management Portal
CVSS Scores: 9.1 - 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69614
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69615
CVE-2026-30930 - Glances allows SQL injection via unsanitized system monitoring data prior to version 4.5.1.
Product: Glances open-source system cross-platform monitoring tool
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30930
CVE-2026-30968 through CVE-2026-30970 - Multiple vulnerabilities in Coral Server prior to 1.1.0.
Product: Coral Server
CVSS Scores: 9.1 - 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30968 (missing authorization)
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30969 (authorization bypass)
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30970 (missing authorization)
CVE-2026-3843 - The Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux is susceptible to a SQL Injection vulnerability that allows remote attackers to execute arbitrary SQL commands and potentially achieve remote code execution.
Product: Nefteprodukttekhnika BUK TS-G Gas Station Automation System
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3843
CVE-2026-28292 - Simple-Git version 3.15.0 through 3.32.2 allows for full remote code execution due to a bypass of prior CVE fixes.
Product: Simple-Git Project
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-28292
CVE-2025-48611 - DeviceId has a vulnerability in DeviceId.java that could allow for local privilege escalation without requiring user interaction.
Product: Google Pixel
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48611
NVD References: https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01
CVE-2026-27825 - MCP Atlassian is vulnerable to arbitrary code execution through the `confluence_download_attachment` tool prior to version 0.17.0.
Product: MCP Atlassian Confluence and Jira
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27825
CVE-2026-28495 - GetSimple CMS and its massiveAdmin plugin allow an authenticated admin to upload arbitrary PHP code and achieve Remote Code Execution on the web server due to lack of CSRF protection.
Product: GetSimple CMS
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-28495
CVE-2026-0110, CVE-2026-0111, CVE-2026-0113, CVE-2026-0114, CVE-2026-0116, & CVE-2026-0120 - Multiple vulnerabilities in Google Android and Pixel.
Product: Google Android
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0110
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0111
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0113
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0114
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0116
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0120
NVD References:
- https://source.android.com/docs/security/bulletin/2026/2026-03-01
- https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01
CVE-2026-30965, CVE-2026-30966, CVE-2026-31800, CVE-2026-31840, CVE-2026-31856, CVE-2026-31871, & CVE-2026-32248 - Multiple vulnerabilities in Parse Server.
Product: Parseplatform Parse-Server
CVSS Score: 9.1 - 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30965 (incorrect authorization)
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30966 (improper access control)
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31800 (missing authorization)
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31840 (SQL injection)
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31856 (SQL injection)
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31871 (SQL injection)
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32248 (improper neutralization of special elements)
CVE-2026-23813 - HPE Aruba Networking AOS-CX switches have a vulnerability in their web-based management interface allowing unauthorized access and potential password resets.
Product: HPE Aruba Networking AOS-CX
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-23813
NVD References: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05027en_us&docLocale=en_US
CVE-2023-27573 - Netbox-docker before 2.5.0 has a default superuser account with easily guessable credentials, making it vulnerable to unauthorized access.
Product: Netbox-docker
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27573
CVE-2026-3826 - IFTOP developed by WellChoose contains a Local File Inclusion vulnerability that permits unauthenticated remote attackers to run unauthorized code on the server.
Product: Wellchoose Organization Portal System
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3826
NVD References: https://www.twcert.org.tw/en/cp-139-10756-73f66-2.html
CVE-2026-30903 - Zoom Workplace for Windows before 6.6.0 allows unauthenticated users to escalate privileges via network access by exploiting the External Control of File Name or Path vulnerability in the Mail feature.
Product: Zoom Workplace for Windows
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30903
NVD References: https://www.zoom.com/en/trust/security-bulletin/zsb-26005
CVE-2026-28229 - Argo Workflows prior to version 4.0.2 and 3.7.11 allows unauthorized access to sensitive template content via Workflow templates endpoints.
Product: Argo Workflows
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-28229
CVE-2026-30741 - OpenClaw Agent Platform v2026.2.6 is vulnerable to RCE attacks that allow remote attackers to execute arbitrary code.
Product: OpenClaw
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30741
CVE-2025-67035, CVE-2025-67038, CVE-2025-67039, CVE-2025-67041, & CVE-2025-70082 - Multiple vulnerabilities in Lantronix EDS3000PS and EDS5000 Lantronix EDS5000.
Product: Lantronix
CVSS Scores: 9.1 - 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67035
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67038
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67039
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67041
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70082
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02
CVE-2026-31852 - Jellyfin's open-source media system is vulnerable to arbitrary code execution via pull requests from forked repositories due to a vulnerability in the code-quality.yml GitHub Actions workflow.
Product: Jellyfin
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31852
CVE-2026-31862 - Cloud CLI is susceptible to authenticated attackers executing arbitrary OS commands through Git-related API endpoints prior to version 1.24.0.
Product: Cloud ClI
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31862
CVE-2018-25159 - Epross AVCON6 systems management platform is vulnerable to OGNL injection, allowing unauthenticated attackers to execute arbitrary system commands with root privileges.
Product: Epross AVCON6 systems management platform
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-25159
CVE-2019-25468 - NetGain EM Plus 10.1.68 is vulnerable to remote code execution, enabling attackers to send malicious parameters to script_test.jsp endpoint and execute arbitrary system commands without authentication.
Product: NetGain EM Plus 10.1.68
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25468
CVE-2019-25471 - FileThingie 2.5.7 is vulnerable to arbitrary file uploads via ZIP archives, enabling attackers to execute malicious commands through extracted PHP files.
Product: FileThingie
VSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25471
CVE-2019-25487 - SAPIDO RB-1732 V2.0.43 is vulnerable to remote command execution, allowing attackers to run arbitrary commands on the device without authentication.
Product: SAPIDO RB-1732 V2.0.43
CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25487
CVE-2026-31874 - Taskosaur allows unauthenticated attackers to register fully privileged administrative accounts by manipulating the role parameter during the user registration process.
Product: Taskosaur
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31874
CVE-2026-31877 - Frappe is vulnerable to SQL injection prior to versions 15.84.0 and 14.99.0, allowing attackers to extract sensitive information through a specially crafted request.
Product: Frappe
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31877
CVE-2026-27478 - Unity Catalog has a critical authentication bypass vulnerability in versions 0.4.0 and earlier due to not validating trusted identity providers when fetching JWKS endpoint for signature validation.
Product: Unity Catalog
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27478
CVE-2026-31896 - WeGIA prior to version 3.6.6 is susceptible to a critical SQL injection vulnerability that allows attackers to execute arbitrary SQL commands and potentially exfiltrate sensitive data or cause denial of service.
Product: WeGIA
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31896
CVE-2026-31900 - Black, the Python code formatter, is vulnerable to arbitrary code execution in GitHub actions due to a malicious pull request editing pyproject.toml, which is fixed in version 26.3.0.
Product: Python Black
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31900
CVE-2026-31957 - Himmelblau allows for unscoped authentication if deployed without a configured tenant domain, potentially exposing it to remote authentication risks before version 3.1.0.
Product: Himmelblau-IDM
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31957
CVE-2026-31976 - Xygeni-action is susceptible to a supply chain compromise via tag poisoning, allowing for arbitrary command execution on CI runners during a specific window in March 2026.
Product: Xygeni-Action
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31976
CVE-2026-32096 - Plunk, an open-source email platform, had a Server-Side Request Forgery (SSRF) vulnerability in the SNS webhook handler before version 0.7.0, allowing unauthenticated attackers to make arbitrary outbound HTTP GET requests to hosts accessible from the server.
Product: Useplunk Plunk
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32096
CVE-2025-66956 - Asseco SEE Live 2.0 is vulnerable to insecure access control, allowing remote attackers to access and execute attachments through a computable URL in Contact Plan, E-Mail, SMS, and Fax components.
Product: Asseco SEE Live 2.0
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66956
CVE-2025-70024 - Benkeen generatedata 4.0.14 is vulnerable to CWE-89 due to improper neutralization of special elements in an SQL command.
Product: benkeen generatedata
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70024
Recent CVEs Continued
CVE-2025-70041 - An issue pertaining to CWE-259: Use of Hard-coded Password was discovered in oslabs-beta ThermaKube master.
Product: ThermaKube
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70041
CVE-2026-27591 - Winter CMS versions prior to 1.0.477, 1.1.12, and 1.2.12 allowed authenticated backend users to escalate their accounts level of access through specially crafted requests.
Product: Winter CMS
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27591
CVE-2026-32133 - 2FAuth allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints due to a blind SSRF vulnerability in versions prior to 6.1.0.
Product: 2FAuth
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32133
CVE-2026-32136 - AdGuard Home is vulnerable to an unauthenticated remote attacker bypassing all authentication prior to version 0.107.73 by sending an HTTP/1.1 request requesting an upgrade to HTTP/2 cleartext (h2c).
Product: AdGuard Home
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32136
CVE-2025-59388 - Hyper Data Protector is vulnerable to a hard-coded password issue that allows remote attackers to gain unauthorized access until version 2.3.1.455.
Product: QNAP Hyper Data Protector
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59388
NVD References: https://www.qnap.com/en/security-advisory/qsa-25-48
CVE-2026-3059 & CVE-2026-3060 - SGLang unauthenticated remote code execution vulnerabilities.
Product: SGLang
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3059
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3060
CVE-2026-21666, CVE-2026-21667, CVE-2026-21669, CVE-2026-21671, & CVE-2026-21708 - Vulnerabilities in Veeam Backup & Replication allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
Product: Veeam Backup & Replication
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21666
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21667
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21669
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21671
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21708
NVD References:
- https://www.veeam.com/kb4830
- https://www.veeam.com/kb4831
CVE-2026-28792 - TinaCMS version prior to 2.1.8 is vulnerable to a browser-based drive-by attack exploiting a permissive CORS configuration and path traversal vulnerability, allowing a remote attacker to manipulate files on a developer's machine.
Product: TinaCMS
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-28792
CVE-2026-26791, CVE-2026-26792, & CVE-2026-26795 - Command injection vulnerabilities in GL-iNet GL-AR300M16.
Product: GL-iNet GL-AR300M16
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26791
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26792
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26795
CVE-2026-26793 - GL-iNet GL-AR300M16 v4.3.11 is vulnerable to a command injection flaw in the set_config function and may allow remote attackers to execute malicious commands.
Product: GL-iNet GL-AR300M16
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26793
CVE-2026-3611 - The Honeywell IQ4x building management controller exposes its full web-based HMI without authentication in its factory-default configuration, allowing for remote users to create new accounts with administrative privileges.
Product: Honeywell IQ4x building management controller
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3611
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-03
CVE-2026-25818 & CVE-2026-25823 - Vulnerabilities in HMS Networks Ewon Flexy, Cosy+ before firmware versions 15.0s4, 22.xx before 22.1s6, and 23.xx.
Product: HMS Networks Ewon Flexy, Cosy+
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25818
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25823
CVE-2026-26954 - SandboxJS before version 0.8.34 allows for escaping the sandbox by manipulating arrays to construct property-function pairs with Object.fromEntries.
Product: SandboxJS
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26954
CVE-2026-31806 - FreeRDP prior to 3.24.0 is vulnerable to a heap buffer overflow due to improper validation of bmp.width and bmp.height values in SURFACE_BITS_COMMAND messages received from a malicious RDP server.
Product: FreeRDP
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31806
CVE-2026-31886 - Dagu allows for directory traversal via dagRunId parameter, leading to system-wide denial of service in versions prior to 2.2.4.
Product: Dagu Workflow Engine
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31886
CVE-2026-32301 - Centrifugo prior to version 6.7.0 is vulnerable to SSRF due to a flaw in how dynamic JWKS endpoint URLs with template variables are processed, allowing an unauthenticated attacker to craft a malicious JWT and trigger an outbound HTTP request to a controlled destination.
Product: Centrifugo
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32301
CVE-2026-32304 - Locutus allows arbitrary code execution through create_function using new Function() prior to version 3.0.14.
Product: Locutus
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32304
CVE-2026-32746 - GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC suboption handler because add_slc does not check whether the buffer is full.
Product: GNU inetutils
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32746
CVE-2016-20024 - ZKTeco ZKTime.Net 3.0.1.6 is vulnerable to insecure file permissions, enabling unprivileged users to escalate privileges through modification of executable files.
Product: ZKTeco ZKTime.Net
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-20024
NVD References: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5360.php
CVE-2016-20026 - ZKTeco ZKBioSecurity 3.0 has hardcoded credentials in its bundled Apache Tomcat server, allowing unauthenticated attackers to access the manager application and execute arbitrary code with SYSTEM privileges.
Product: ZKTeco ZKBioSecurity 3.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-20026
NVD References: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php
CVE-2016-20030 - ZKTeco ZKBioSecurity 3.0 has a user enumeration vulnerability that lets unauthenticated attackers discover valid usernames through partial character submissions in the username parameter.
Product: ZKTeco ZKBioSecurity 3.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-20030
NVD References: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5366.php
CVE-2017-20223 & CVE-2017-20224 - Vulnerabilities in Telesquare SKT LTE Router SDT-CS3B1 firmware version 1.2.0.
Product: Telesquare SKT LTE Router SDT-CS3B1 firmware
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20223 (authorization bypass)
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20224 (unrestricted upload of file with dangerous type)
CVE-2025-69246 - Raytha CMS lacks brute force protection, enabling attackers to make multiple automated login attempts without facing any lockout or security challenges, fixed in version 1.4.6.
Product: Raytha CMS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69246
CVE-2026-32621 - Apollo Federation prior to versions 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2 allows malicious clients to pollute Object.prototype in the gateway through query plan execution with field aliases and/or variable names.
Product: Apollo Federation
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32621
CVE-2026-32626 - AnythingLLM Desktop version 1.11.1 and earlier is vulnerable to a Streaming Phase XSS leading to Remote Code Execution due to insecure Electron configuration and lack of sanitization in the image renderer and component rendering.
Product: Mintplexlabs AnythingLLM
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32626
CVE-2026-4163 & CVE-2026-4164 - Wavlink WL-WN579A3 220323 and Wavlink WL-WN578W2 221110 are vulnerable to command injection.
Product: Wavlink WL-WN579A3
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4163 (Wavlink WL-WN579A3 220323)
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4164 (Wavlink WL-WN578W2 221110)
CVE-2026-4170 - Topsec TopACM 3.0 is vulnerable to os command injection through manipulation of the argument template_path in /view/systemConfig/management/nmc_sync.php, allowing for remote execution of attacks with a publicly available exploit.
Product: Topsec TopACM 3.0
CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4170
CVE-2026-4181 through CVE-2026-4184 - Multiple stack-based buffer overflow vulnerabilities in D-Link DIR-816 router firmware.
Product: D-Link DIR-816
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4181
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4182
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4183
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4184
CVE-2025-70245 - Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWizardSelectMode.
Product: D-Link DIR-513
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70245
CVE-2025-62319 - Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions into application input fields, allowing arbitrary SQL injection into backend configuration queries.
Product: HCL AION
CVSS Score: 9.8
GitHub Stars: -1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62319
NVD References: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129410
CVE-2026-4252 & CVE-2026-4254 - Vulnerabilities in Tenda AC8 16.03.50.11.
Product: Tenda AC8
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4252
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4254
CVE-2026-23489 - Fields, a GLPI plugin, is vulnerable to arbitrary PHP code execution in versions prior to 1.23.3 when users create dropdowns.
Product: GLPI Fields plugin
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-23489
CVE-2026-27962 - Authlib prior to version 1.6.9 is vulnerable to JWK Header Injection allowing unauthenticated attackers to forge arbitrary JWT tokens.
Product: Authlib
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27962
CVE-2025-69808 & CVE-2025-69809 - Vulnerabilities in p2r3 Bareiron commit 8e4d40.
Product: p2r3 Bareiron
CVSS Scores: 9.1 - 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69808 (out-of-bounds read)
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69809 (write-what-where condition)
CVE-2026-28430 - Chamilo LMS prior to version 1.11.34 is vulnerable to SQL injection, allowing remote attackers to execute arbitrary commands and achieve full administrative account takeover.
Product: Chamilo LMS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-28430
CVE-2026-32267 - Craft CMS versions 4.0.0-RC1 to before 4.17.6 and versions 5.0.0-RC1 to before 5.9.12 are vulnerable to privilege escalation through UsersController->actionImpersonateWithToken, allowing low-privilege users or authenticated users with a shared URL to become admins.
Product: Craft CMS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32267
CVE-2025-69902 - kubectl-mcp-server v1.2.0 is vulnerable to command injection, allowing attackers to execute arbitrary commands by injecting shell metacharacters.
Product: kubectl-mcp-server minimal_wrapper.py
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69902
CVE-2026-4177 - YAML::Syck versions through 1.36 has security vulnerabilities, including a high-severity heap buffer overflow and memory leak issues.
Product: Perl YAML::Syck
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4177
CVE-2026-4312 - GCB/FCB Audit Software by DrangSoft is vulnerable to Missing Authentication, enabling unauthorized remote attackers to create a new administrative account through specific APIs.
Product: DrangSoft GCB/FCB Audit Software
CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4312
NVD References: https://www.twcert.org.tw/en/cp-139-10785-2cafe-2.html
CVE-2026-3564 - ScreenConnect is vulnerable to unauthorized access from an actor with server-level cryptographic material.
Product: ScreenConnect
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3564
NVD References: https://www.connectwise.com/company/trust/security-bulletins/2026-03-17-screenconnect-bulletin
CVE-2026-25534 - Spinnaker's updated URL Validation logic in clouddriver led to a vulnerability that allowed a bypass of a previous CVE (CVE-2025-61916) through carefully crafted URLs.
Product: Spinnaker Clouddriver
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25534
CVE-2026-25769 - Wazuh has a Remote Code Execution vulnerability (RCE) from versions 4.0.0 through 4.14.2, allowing attackers with compromised worker nodes to achieve full RCE on master nodes with root privileges.
Product: Wazuh Platform
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25769
CVE-2026-25770 - Wazuh is vulnerable to a privilege escalation flaw in its cluster synchronization protocol, allowing attackers to gain Root Remote Code Execution by overwriting the main configuration file.
Product: Wazuh Manager
CVSS Score: 9.1
GitHub Stars: 14987
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25770
CVE-2026-32298 - The Angeet ES3 KVM is susceptible to code injection attacks due to improper sanitization of user input.
Product: Angeet ES3 KVM
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32298
CVE-2026-21994 - Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit version 0.3.0 allows an unauthenticated attacker to compromise the tool's security and potentially take over the system.
Product: Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21994
NVD References: https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.html
CVE-2026-0953 - The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass via the Social Login addon, allowing unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token.
Product: Tutor LMS Pro WordPress
Active Installations: 100,000
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0953
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/92a120ac-66ae-4678-a87a-e62da885d50b?source=cve
CVE-2026-2631 - The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows remote users to modify authentication tokens and gain administrator privileges.
Product: Datalogics Ecommerce Delivery WordPress plugin
Active Installations: 400+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2631
CVE-2026-3891 - The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads allowing unauthenticated attackers to potentially execute remote code.
Product: Pix for WooCommerce plugin
Active Installations: 100+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3891
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/20188fd3-c330-4c76-912b-72731e14c450?source=cve
The following vulnerability needs a manual review:
CVE-2026-0866 - Antivirus and Endpoint Detection and Response Archive Scanning Engines may not properly scan malformed zip archives
Product: ZIP files CVSS Score: N/A
ISC Diary: https://isc.sans.edu/diary/Analyzing+Zombie+Zip+Files+CVE20260866/32786/
ISC Podcast: https://isc.sans.edu/podcastdetail/9846
References: https://www.kb.cert.org/vuls/id/976247
Sponsors
SANS
Webinar | The Multicloud Blueprint: Architecting Security for the AI Era | Tuesday, March 31, 2026, at@ 1:00 PM ET.