The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2)

Published: 2026-03-25

Last Updated: 2026-03-25 01:01:37 UTC

by Brad Duncan (Version: 1)

Introduction

This diary provides indicators from the SmartApeSG (ZPHP, HANEYMANEY) campaign I saw on Tuesday, 2026-03-24. SmartApeSG is one of many campaigns that use the ClickFix technique. This past week, I've seen NetSupport RAT as follow-up malware from Remcos RAT pushed by this campaign. But this time, I also saw indicators for StealC malware and Sectop RAT (ArecheClient2) after NetSupport RAT appeared on my infected lab host.

Not all of the follow-up malware appears shortly after the initial Remcos RAT malware. Here's the timeline for malware from my SmartApeSG activity on Tuesday 2026-03-24:

17:11 UTC - Ran ClickFix script from SmartApeSG fake CAPTCHA page

17:12 UTC - Remcos RAT post-infection traffic starts

17:16 UTC - NetSupport RAT post-infection traffic starts

18:18 UTC - StealC post-infection traffic starts

19:36 UTC - Sectop RAT post-infection traffic starts

While the NetSupport RAT activity happened approximately 4 minutes after the Remcos RAT activity, the StealC traffic didn't happen until approximately 1 hour after the NetSupport RAT activity started. And the traffic for Sectop RAT happened approximately 1 hour and 18 minutes after the StealC activity started.

Images from the infection ...

Indicators of Compromise ...

Read the full entry: https://isc.sans.edu/diary/SmartApeSG+campaign+pushes+Remcos+RAT+NetSupport+RAT+StealC+and+Sectop+RAT+ArechClient2/32826/

GSocket Backdoor Delivered Through Bash Script

Published: 2026-03-20

Last Updated: 2026-03-20 08:40:15 UTC

by Xavier Mertens (Version: 1)

Yesterday, I discovered a malicious Bash script that installs a GSocket backdoor on the victim’s computer. I don’t know the source of the script not how it is delivered to the victim.

GSocket is a networking tool, but also a relay infrastructure, that enables direct, peer-to-peer–style communication between systems using a shared secret instead of IP addresses or open ports. It works by having both sides connect outbound to a global relay network. Tools like gs-netcat can provide remote shells, file transfer, or tunneling and bypass classic security controls. The script that I found uses a copy of gs-netcat but the way it implements persistence and anti-forensic techniques deserves a review.

A few weeks ago, I found a sample that used GSocket connectivity as a C2 channel. It makes me curious and I started to hunt for more samples. Bingo! The new one that I found has been detected by only 17 antivirus solutions on VT. The script is not obfuscated and even has comments so I think that it was uploaded on VT for "testing" purposes by the developper (just a guess)

Let’s have a look at the techniques used. When you execute it in a sandbox, you see this ...

Read the full entry: https://isc.sans.edu/diary/GSocket+Backdoor+Delivered+Through+Bash+Script/32816/

Detecting IP KVMs

Published: 2026-03-24

Last Updated: 2026-03-24 13:55:25 UTC

by Johannes Ullrich (Version: 1)

I have written about how to use IP KVMs securely, and recently, researchers at Eclypsium published yet another report on IP KVM vulnerabilities. But there is another issue I haven't mentioned yet with IP KVMs: rogue IP KVMs. IP KVMs are often used by criminals. For example, North Koreans used KVMs to connect remotely to laptops sent to them by their employers. The laptops were located in the US, and the North Korean workers used IP KVMs to remotely connect to them. IP KVMs could also be used to access office PCs, either to enable undetected "work from home" or by threat actors who use them to gain remote access after installing the device on site.

IP KVMs usually connect to the system in two ways:

* USB for keyboard/mouse

* HDMI for the monitor connection (some older variants may also use VGA)

For my testing, I used two different IP KVMs. A "PiKVM" and a "NanoKVM" (Sipeed). Both were connected to Linux systems, but the techniques should work on other operating systems as well ...

Read the full entry: https://isc.sans.edu/diary/Detecting+IP+KVMs/32824/

Tool updates: lots of security and logic fixes (2026.03.23)

https://isc.sans.edu/diary/Tool+updates+lots+of+security+and+logic+fixes/32820/

Interesting Message Stored in Cowrie Logs (2026.03.18)

https://isc.sans.edu/diary/Interesting+Message+Stored+in+Cowrie+Logs/32810/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2026-21992 - Oracle Identity Manager and Oracle Web Services Manager in Oracle Fusion Middleware (component: REST WebServices and Web Services Security) versions 12.2.1.4.0 and 14.1.2.1.0 are vulnerable to an easily exploitable attack that allows unauthenticated attackers to compromise the systems, potentially resulting in a complete takeover with a CVSS 3.1 Base Score of 9.8.

Product: Oracle Identity Manager

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21992

ISC Podcast: https://isc.sans.edu/podcastdetail/9860

NVD References: https://www.oracle.com/security-alerts/alert-cve-2026-21992.html

CVE-2026-21994 - Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit version 0.3.0 allows an unauthenticated attacker to compromise the tool's security and potentially take over the system.

Product: Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21994

NVD References: https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-public-documents.html

CVE-2026-33186 - gRPC-Go before version 1.79.3 has an authorization bypass vulnerability due to improper input validation of the HTTP/2 `:path` pseudo-header.

Product: gRPC-Go Servers

CVSS Score: 9.1

GitHub Stars: 22844

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33186

ISC Podcast: https://isc.sans.edu/podcastdetail/9862

NVD References: https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3

CVE-2025-69720 - ncurses infocmp -i Stack Buffer Overflow (CWE-121)

Product: ncurses progs/infocmp

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69720

CVE-2026-3381 - Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib

Product: Compress::Raw::Zlib

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3381

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3381

CVE-2026-4312 - GCB/FCB Audit Software by DrangSoft is vulnerable to Missing Authentication, enabling unauthorized remote attackers to create a new administrative account through specific APIs.

Product: DrangSoft GCB/FCB Audit Software

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4312

NVD References: https://www.twcert.org.tw/en/cp-139-10785-2cafe-2.html

CVE-2026-3564 - ScreenConnect is vulnerable to unauthorized access from an actor with server-level cryptographic material.

Product: ScreenConnect

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3564

NVD References: https://www.connectwise.com/company/trust/security-bulletins/2026-03-17-screenconnect-bulletin

CVE-2026-25534 - Spinnaker's updated URL Validation logic in clouddriver led to a vulnerability that allowed a bypass of a previous CVE (CVE-2025-61916) through carefully crafted URLs.

Product: Spinnaker Clouddriver

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25534

CVE-2026-25769 - Wazuh has a Remote Code Execution vulnerability (RCE) from versions 4.0.0 through 4.14.2, allowing attackers with compromised worker nodes to achieve full RCE on master nodes with root privileges.

Product: Wazuh

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25769

NVD References: https://github.com/wazuh/wazuh/security/advisories/GHSA-3gm7-962f-fxw5

CVE-2026-25770 - Wazuh is vulnerable to a privilege escalation flaw in its cluster synchronization protocol, allowing attackers to gain Root Remote Code Execution by overwriting the main configuration file.

Product: Wazuh

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25770

NVD References: https://github.com/wazuh/wazuh/security/advisories/GHSA-r4f7-v3p6-79jm

CVE-2026-32298 - The Angeet ES3 KVM is susceptible to code injection attacks due to improper sanitization of user input.

Product: Angeet ES3 KVM

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32298

NVD References: https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network/

CVE-2026-31938 - jsPDF library versions prior to 4.2.1 allows attackers to inject arbitrary HTML, including scripts, into the browser context when generating PDFs using unsanitized user input.

Product: jsPDF

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31938

CVE-2025-67829 & CVE-2025-67830 - Mura before 10.1.14 SQL injection vulnerabilities

Product: Murasoftware Mura Cms

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67829

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67830

NVD References: https://docs.murasoftware.com/v10/release-notes/#section-version-1014

CVE-2026-29859 - An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary code via uploading a crafted file.

Product: aaPanel

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-29859

CVE-2026-30701 through CVE-2026-30704 - Multiple vulnerabilities in WiFi Extender WDR201A

Product: WiFi Extender WDR201A

CVSS Scores: 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30701

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30702

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30703

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30704

CVE-2026-32633 - Glances is vulnerable to unauthorized access in Central Browser mode prior to version 4.5.2, allowing network users to retrieve reusable credentials for protected downstream servers.

Product: Glances

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32633

CVE-2026-31966 & CVE-2026-31967 - Out-of-bounds read vulnerabilities in HTSlib CRAM reader due to improper validation of input

Product: HTSlib

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31966

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31967

NVD References:

- https://github.com/samtools/htslib/security/advisories/GHSA-5cj8-mj52-8vp3

- https://github.com/samtools/htslib/security/advisories/GHSA-33x5-c6vj-8f2w

CVE-2026-25873 - OmniGen2-RL is vulnerable to unauthenticated remote code execution via malicious HTTP POST requests that exploit insecure pickle deserialization in the reward server component.

Product: OmniGen2-RL

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25873

CVE-2026-31972 - SAMtools is vulnerable to a bug that may lead to a program crash or leakage of program state due to premature data discard, fixed in versions 1.21.1 and 1.22.

Product: SAMtools

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31972

CVE-2026-32698 - OpenProject vulnerabilities

Product: Open Project

CVSS Scores: 9.0 - 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32698 (SQL Injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32703 (cross-site scripting)

NVD References:

- https://github.com/opf/openproject/security/advisories/GHSA-jqhf-rf9x-9rhx

- https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp

CVE-2025-15031 - MLflow's pyfunc extraction process vulnerability allows for arbitrary file writes via crafted tar.gz files, posing a high/critical risk in multi-tenant environments.

Product: MLflow

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-15031

CVE-2026-32731 - ApostropheCMS is vulnerable to a Zip Slip exploit in versions prior to 3.5.3 of `@apostrophecms/import-export`, allowing users with Global Content Modify permission to upload malicious `.tar.gz` files and write attacker-controlled content to arbitrary paths on the host filesystem.

Product: ApostropheCMS

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32731

CVE-2026-22557 - UniFi Network Application is susceptible to a Path Traversal vulnerability that allows a malicious actor to access and potentially manipulate system files, granting unauthorized access to an underlying account.

Product: UniFi Network Application

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22557

CVE-2026-30402 - An issue in wgcloud v.2.3.7 and before allows a remote attacker to execute arbitrary code via the test connection function

Product: wgcloud

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30402

CVE-2026-32865 - OPEXUS eComplaint and eCASE before version 10.1.0.0 leak secret verification codes in HTTP responses, allowing attackers to reset passwords and security questions with only an email address.

Product: OPEXUS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32865

CVE-2025-67112, CVE-2025-67113, & CVE-2025-67114 - Multiple vulnerabilities in Small Cell Sercomm SCE4255W firmware.

Product: Sercomm Small Cell Sercomm SCE4255W

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67112 (hard-coded cryptographic key)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67113 (code injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67114 (weak credentials)

CVE-2026-30694 - An issue in DedeCMS v.5.7.118 and before allows a remote attacker to execute arbitrary code via the array_filter component

Product: DedeCMS v.5.7.118

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30694

CVE-2026-32238 - OpenEMR prior to version 8.0.0.2 has a Command injection vulnerability in its backup feature that allows authenticated attackers to exploit it.

Product: OpenEMR

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32238

CVE-2026-30836 - Step CA does not safeguard against unauthenticated certificate issuance through SCEP UpdateReq in versions 0.30.0-rc6 and below.

Product: Step CA Online Certificate Authority

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30836

CVE-2026-30871 & CVE-2026-30872 - OpenWrt Project prior to versions 24.10.6 and 25.12.1 has Stack-based Buffer Overflow vulnerabilities.

Product: OpenWrt Project

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30871

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30872

CVE-2026-32038 - OpenClaw allows trusted operators to bypass sandbox network isolation and join another container's network namespace by configuring the docker.network parameter with container IDs.

Product: OpenClaw

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32038

CVE-2026-22172 - OpenClaw before 2026.3.12 allows attackers to bypass authorization by self-declaring elevated scopes in WebSocket connections.

Product: OpenClaw

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22172

NVD References: https://github.com/openclaw/openclaw/security/advisories/GHSA-rqpp-rjj8-7wv8

CVE-2026-32913 - OpenClaw before 2026.3.7 has an improper header validation vulnerability that allows attackers to intercept sensitive headers during cross-origin redirects.

Product: OpenClaw

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32913

CVE-2026-32751, CVE-2026-32767, CVE-2026-32938, CVE-2026-32940, CVE-2026-33066, CVE-2026-33067 - Multiple vulnerabilities in SiYuan personal knowledge management system.

Product: SiYuan

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32751 (cross-site scripting)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32767 (SQL injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32938 (arbitrary file read)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32940 (incomplete fix for CVE-2026-29183)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33066 (cross-site scripting)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33067 (cross-site scripting)

CVE-2026-32754 - FreeScout versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XSS) through email notification templates, allowing unauthenticated attackers to execute phishing attacks and potentially hijack sessions or steal credentials.

Product: FreeScout

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32754

CVE-2026-22732 - Spring Security is vulnerable to HTTP response headers not being written when specified in servlet applications, impacting versions 5.7.0 through 5.7.21, 5.8.0 through 5.8.23, 6.3.0 through 6.3.14, 6.4.0 through 6.4.14, 6.5.0 through 6.5.8, and 7.0.0 through 7.0.3.

Product: Spring Security

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22732

CVE-2026-29103 - SuiteCRM is susceptible to a Critical Remote Code Execution (RCE) vulnerability in versions 7.15.0 and 8.9.2, enabling authenticated administrators to run arbitrary system commands and bypass the CVE-2024-49774 patch.

Product: SuiteCRM

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-29103

CVE-2026-32760 - File Browser in versions 2.61.2 and below allows unauthenticated visitors to register as full administrators due to a flaw in the signup handler.

Product: File Browser

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32760

CVE-2026-32985 - Xerte Online Toolkits versions 3.14 and earlier have an unauthenticated arbitrary file upload vulnerability that allows an attacker to achieve remote code execution.

Product: Xerte Online Toolkits

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32985

CVE-2026-32817 - Admidio is vulnerable to unauthorized deletion of folders and files in versions 5.0.0 through 5.0.6 due to lack of permission verification, CSRF token validation, and GET requests triggering deletion, potentially allowing unauthenticated attackers to destroy the document library.

Product: Admidio

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32817

CVE-2026-32945 - PJSIP versions 2.16 and below have a Heap-based Buffer Overflow vulnerability in the DNS parser's name length handler, impacting applications using PJSIP's built-in DNS resolver.

Product: PJSIP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32945

CVE-2026-33017, CVE-2026-33309 & CVE-2026-33475 - Langflow vulnerabilities

Product: Langflow

CVSS Score: 9.1 - 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33017 (Unauthenticated Remote Code Execution)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33309 (Arbitrary File Write / RCE)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33475 (unauthenticated remote shell injection)

NVD References:

- https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours

- https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx

- https://github.com/langflow-ai/langflow/security/advisories/GHSA-g2j9-7rj2-gm6c

- https://github.com/langflow-ai/langflow/security/advisories/GHSA-87cc-65ph-2j4w

CVE-2026-33054 & CVE-2026-33057 - Mesop has a Path Traversal vulnerability in versions 1.2.2 and below, allowing unauthorized users to target files on the disk and potentially lead to application denial of service or arbitrary file manipulation.

Product: Mesop-Dev

CVSS Scores: 9.8 - 10.0

GitHub Stars: 6521

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33054 (path traversal)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33057 (code injection)

CVE-2026-33134, CVE-2026-33135, CVE-2026-33136 - Multiple vulnerabilities in WeGIA web manager for charitable institutions.

Product: WeGIA

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33134 (SQL injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33135 (cross-site scripting)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33136 (cross-site scripting)

CVE-2024-44722 - SysAK v2.0 and before is vulnerable to command execution via aaa;cat /etc/passwd.

Product: SysAK v2.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44722

CVE-2026-21732 - GPU shader compiler library vulnerability due to out-of-bounds write access in switch statement edge cases.

Product: GPU shader compiler library

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21732

CVE-2026-25192 & CVE-2026-29796 - WebSocket endpoints in OCPP lack authentication, allowing attackers to impersonate stations, manipulate data, and potentially gain unauthorized control of charging infrastructure.

Product: OCPP WebSocket endpoints

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25192

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-29796

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08

CVE-2026-24060 - WebCTRL is vulnerable to data interception and modification due to lack of encryption in BACnet packet transmission, allowing attackers to sniff and reverse engineer proprietary format information.

Product: WebCTRL BACnet

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24060

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08

CVE-2019-25568 - Memu Play 6.0.7 has an insecure file permissions vulnerability enabling low-privilege users to gain escalated privileges by replacing the MemuService.exe executable with a malicious one.

Product: Memu Play

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25568

CVE-2019-25614 - Free Float FTP 1.0 is vulnerable to a buffer overflow via the STOR command, allowing remote attackers to execute arbitrary code by sending a specially crafted request.

Product: Free Float FTP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25614

CVE-2026-4567 - Tenda A15 15.13.07.13 is vulnerable to a remote stack-based buffer overflow in the UploadCfg function of the /cgi-bin/UploadCfg file through manipulation of the argument File, with a public exploit available.

Product: Tenda A15

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4567

CVE-2026-4599 - The package jsrsasign from version 7.0.0 to 11.1.1 is vulnerable to biased DSA nonces during signature generation through incomplete comparison with missing factors in src/crypto-1.1.js.

Product: Jsrsasign_Project Jsrsasign

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4599

CVE-2026-3587 - The vulnerability in the CLI prompt of WAGO Managed Switches allows an unauthenticated remote attacker to gain root access and fully compromise the device.

Product: WAGO Managed Switches

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3587

NVD References: https://certvde.com/de/advisories/VDE-2026-020

CVE-2026-32968 - com_mb24sysapi module is vulnerable to an RCE attack, allowing remote attackers to compromise the system due to improper neutralization of special elements.

Product: MB connect line mbCONNECT24/mymbCONNECT24 and Helmholz myREX24V2 / myREX24V2.virtual

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32968

NVD References:

- https://certvde.com/de/advisories/VDE-2026-024

- https://certvde.com/de/advisories/VDE-2026-025

CVE-2026-4585 - Tiandy Easy7 Integrated Management Platform up to version 7.17.0 is vulnerable to remote os command injection in the Configuration Handler component.

Product: Tiandy Easy7 Integrated Management Platform

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4585

CVE-2026-33297, CVE-2026-33351, CVE-2026-33352, CVE-2026-33478, CVE-2026-33502, & CVE-2026-33716 - Multiple vulnerabilities in WWBN AVideo

Product: WWBN AVideo

CVSS Scores: 9.1 - 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33297 (authorization bypass)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33351 (server-side request forgery)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33352 (SQL injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33478 (OS command injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33502 (server-side request forgery)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33716 (improper authentication)

NVD References: https://github.com/WWBN/AVideo/security/advisories/GHSA-6547-8hrg-c55m

CVE-2026-4404 - GoHarbor Harbor version 2.15.0 and below is vulnerable to attackers exploiting hard coded credentials to gain unauthorized access to the web UI.

Product: GoHarbor Harbor

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4404

NVD References: https://www.kb.cert.org/vuls/id/577436

CVE-2026-2298 - Salesforce Marketing Cloud Engagement is vulnerable to Argument Injection through improper neutralization of delimiters, allowing for Web Services Protocol Manipulation.

Product: Salesforce Marketing Cloud Engagement

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2298

NVD References: https://help.salesforce.com/s/articleView?id=005299346&type=1

CVE-2025-60949 - Census CSWeb 8.0.1 exposes "app/config" via HTTP, allowing remote attackers to retrieve leaked secrets without authentication, fixed in 8.1.0 alpha.

Product: Census CSWeb

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60949

CVE-2026-33195 & CVE-2026-33202 - Vulnerabilities in Active Storage in Rails applications prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1

Product: Ruby on Rails

CVSS Scores: 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33195 (path traversal)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33202 (injection)

NVD References: https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87

NVD References: https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m

CVE-2026-33211 - Tekton Pipelines project is vulnerable to path traversal via the `pathInRepo` parameter in versions prior to 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, allowing a tenant with permission to create `ResolutionRequests` to read arbitrary files from the resolver pod's filesystem.

Product: Tekton Pipelines project

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33211

CVE-2026-33286 - Graphiti framework versions prior to 1.10.2 have an arbitrary method execution vulnerability that allows attackers to invoke any public method on underlying model instances or classes via malicious JSONAPI payloads.

Product: Graphiti Framework

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33286

CVE-2026-4750 - Out-of-bounds Read vulnerability in fabiangreffrath woof.This issue affects woof: before woof_15.3.0.

Product: fabiangreffrath woof

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4750

CVE-2026-4753 - Out-of-bounds Read vulnerability in slajerek RetroDebugger. This issue affects RetroDebugger: before v0.64.72.

Product: slajerek RetroDebugger

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4753

CVE-2026-4755 - CWE-20 vulnerability in MolotovCherry Android-ImageMagick7. This issue affects Android-ImageMagick7: before 7.1.2-11.

Product: Android-ImageMagick7 MolotovCherry

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4755

CVE-2019-25628 - Download Accelerator Plus DAP 10.0.6.0 is vulnerable to remote code execution via crafted URLs that exploit a structured exception handler buffer overflow.

Product: Download Accelerator Plus DAP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25628

CVE-2019-25646 - Tabs Mail Carrier 2.5.1 is vulnerable to a buffer overflow in the MAIL FROM SMTP command, allowing remote attackers to execute arbitrary code through a crafted parameter.

Product: Tabs Mail Carrier 2.5.1

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25646

CVE-2026-4688, CVE-2026-4691, CVE-2026-4696, CVE-2026-4698, CVE-2026-4700 through CVE-2026-4702, CVE-2026-4705, CVE-2026-4711, CVE-2026-4715 through CVE-2026-4717, CVE-2026-4723, & CVE-2026-4725 - Multiple vulnerabilities in Firefox and Thunderbird.

Product: Mozilla Firefox, Firefox ESR, Thunderbird

CVSS Scores: 9.1 - 10.0

NVD References:

- https://www.mozilla.org/security/advisories/mfsa2026-20/

- https://www.mozilla.org/security/advisories/mfsa2026-21/

- https://www.mozilla.org/security/advisories/mfsa2026-22/

- https://www.mozilla.org/security/advisories/mfsa2026-23/

- https://www.mozilla.org/security/advisories/mfsa2026-24/

CVE-2025-71275 - Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 is vulnerable to command injection, allowing attackers to execute system commands remotely.

Product: Zimbra Collaboration Suite (ZCS)

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-71275

CVE-2026-33340 - LoLLMs WEBUI is vulnerable to a critical Server-Side Request Forgery (SSRF) in its "/api/proxy" endpoint, allowing unauthenticated attackers to make arbitrary GET requests and potentially access internal services or exfiltrate sensitive data.

Product: LoLLMs WEBUI

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33340

CVE-2025-33244 - NVIDIA APEX for Linux is vulnerable to untrusted data deserialization, allowing attackers to potentially execute code, perform denial of service attacks, escalate privileges, tamper with data, and disclose information in PyTorch versions earlier than 2.6.

Product: NVIDIA APEX for Linux

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-33244

CVE-2026-2991 - The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authentication Bypass, allowing unauthenticated attackers to access sensitive patient information and potentially breach PII/PHI.

Product: KiviCare Clinic & Patient Management System (EHR) plugin for WordPress

Active Installations: 2,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2991

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/8d22448b-aa8e-4775-b7c5-e7bae94a3f6d?source=cve

CVE-2026-4283 - The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction through the `super-unsubscribe` AJAX action in versions up to 3.1.38, allowing unauthenticated users to bypass email confirmation and anonymize accounts with a submitted email address and `process_now=1`.

Product: WP GDPR Tools WP DSGVO Tools (GDPR) plugin

Active Installations: 10,000+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4283

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/21389122-cb39-45d1-a889-b830d3a55603?source=cve

CVE-2026-4038 - The Aimogen Pro plugin for WordPress is vulnerable to Arbitrary Function Call, allowing unauthenticated attackers to gain administrative user access by exploiting a missing capability check on the 'aiomatic_call_ai_function_realtime' function in versions up to 2.7.5.

Product: Aimogen Pro plugin for WordPress

Active Installations: Unknown. Update to version 2.7.6, or a newer patched version.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4038

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/b3e45a17-cb41-41ba-ab6c-c83202f0ecfd?source=cve

CVE-2026-4001 - The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1.

Product: Woocommerce Custom Product Addons Pro plugin

Active Installations: Unknown. Update to version 5.4.2, or a newer patched version.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4001

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/70a2b6ff-defc-4722-9af9-3cae94e98632?source=cve

CVE-2026-3584 - The Kali Forms plugin for WordPress up to version 2.4.9 is vulnerable to Remote Code Execution through the 'form_process' function, allowing unauthenticated attackers to execute code on the server.

Product: WordPress Kali Forms plugin

Active Installations: 10,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3584

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/6cecd06f-c064-49fd-b3fa-505a5a0c2e0b?source=cve

NO CUSTOMER ACTION REQUIRED

CVE-2026-26137 - Microsoft 365 Copilot BizChat Elevation of Privilege Vulnerability

Product: Microsoft 365 Copilot Chat

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26137

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26137

CVE-2026-32169 - Azure Cloud Shell Elevation of Privilege Vulnerability

Product: Azure Cloud Shell

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32169

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32169

CVE-2026-32191 & CVE-2026-32194 - Microsoft Bing Images Remote Code Execution Vulnerabilities

Product: Microsoft Bing Images

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32191

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32194

MSFT Details:

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32191

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32194

CVE-2026-23658 - Azure DevOps: msazure Elevation of Privilege Vulnerability

Product: Microsoft Azure DevOps

CVSS Score: 8.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-23658

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23658

CVE-2026-23659 - Azure Data Factory Information Disclosure Vulnerability

Product: Microsoft Azure Data Factory

CVSS Score: 8.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-23659

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23659

CVE-2026-26138 & CVE-2026-26139 - Microsoft Purview Elevation of Privilege Vulnerabilities

Product: Microsoft Purview

CVSS Score: 8.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26138

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26139

MSFT Details:

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26138

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26139