The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

How often are redirects used in phishing in 2026?

Published: 2026-04-06

Last Updated: 2026-04-06 08:50:27 UTC

by Jan Kopriva (Version: 1)

In one of his recent diaries, Johannes discussed how open redirects are actively being sought out by threat actors, which made me wonder about how commonly these mechanisms are actually misused…

Although open redirect is not generally considered a high-impact vulnerability on its own, it can have multiple negative implications. Johannes already covered one in connection with OAuth flows, but another important (mis)use case for them is phishing.

The reason is quite straightforward – links pointing to legitimate domains (such as google.com) included in phishing messages may appear benign to recipients and can also evade simpler e-mail scanners and other detection mechanisms.

Even though open redirect has not been listed in OWASP Top 10 for quite some time, it is clear that attackers have never stopped looking for it or using it. If I look at traffic on almost any one of my own domains, hardly a month goes by when I don’t see attempts to identify potentially vulnerable endpoints, such as…

Read the full entry: https://isc.sans.edu/diary/How+often+are+redirects+used+in+phishing+in+2026/32870/

Attempts to Exploit Exposed "Vite" Installs (CVE-2025-30208)

Published: 2026-04-02

Last Updated: 2026-04-02 14:49:00 UTC

by Johannes Ullrich (Version: 1)

From its GitHub repo: "Vite (French word for "quick", pronounced /vi?t/, like "veet") is a new breed of frontend build tooling that significantly improves the frontend development experience" [https://github.com/vitejs/vite].

This environment introduces some neat and useful shortcuts to make developers' lives simpler. But as so often, if exposed, these features can be turned against you.

Today, I noticed our honeypots collecting URLs like…

This pattern matches CVE-2025-30208, a vulnerability in Vite described by Offsec.com in July last year [https://www.offsec.com/blog/cve-2025-30208/].

The '@fs' feature is a Vite prefix for retrieving files from the server. To protect the server's file system, Vite implements configuration directives to restrict access to specific directories. However, the '??raw?' suffix can be used to bypass the access list and download arbitrary files. Scanning activity on port 5173 is quite low, and the attacks we have seen use standard web server ports.

Vite is typically listening on port 5173. It should be installed such that it is only reachable via localhost, but apparently, at least attackers believe that it is often exposed. The attacks we are seeing are attempting to retrieve various well-known configuration files, likely to extract secrets…

Read the full entry: https://isc.sans.edu/diary/Attempts+to+Exploit+Exposed+Vite+Installs+CVE202530208/32860/

TeamPCP Supply Chain Campaign: Update 006 - CERT-EU Confirms European Commission Cloud Breach, Sportradar Details Emerge, and Mandiant Quantifies Campaign at 1,000+ SaaS Environments

Published: 2026-04-03

Last Updated: 2026-04-03 13:18:01 UTC

by Kenneth Hartman (Version: 1)

This is the sixth update to the TeamPCP supply chain campaign threat intelligence report, "When the Security Scanner Became the Weapon" [https://www.sans.org/white-papers/when-security-scanner-became-weapon, v3.0, March 25, 2026]. Update 005 [https://isc.sans.edu/diary/32856] covered developments through April 1, including the first confirmed victim disclosure (Mercor AI), Wiz's post-compromise cloud enumeration findings, DPRK attribution of the axios compromise, and LiteLLM's release resumption after Mandiant's forensic audit. This update covers intelligence from April 1 through April 3, 2026.

CRITICAL: CERT-EU Confirms European Commission Cloud Breach via Trivy Supply Chain Compromise

CERT-EU disclosed on April 2-3, 2026 that the European Commission's Europa web hosting platform on AWS was breached through the Trivy supply chain compromise (CVE-2026-33634). This is the highest-profile governmental victim disclosure to date. [https://cert.europa.eu/blog/european-commission-cloud-breach-trivy-supply-chain]

Key details from the CERT-EU advisory:

Initial access: AWS API keys stolen via the compromised Trivy scanner on March 19

Detection: European Commission Security Operations Center fired alerts on March 24 (5 days after initial intrusion)

CERT-EU notified: March 25; access revoked same day

Data exfiltrated: 340 GB uncompressed (91.7 GB compressed archive) from the compromised AWS account

Email exposure: Approximately 52,000 email-related files (2.22 GB) of outbound communications

Scope: 71 clients affected: 42 internal European Commission departments plus 29 other EU entities, meaning at least 30 Union entities were potentially impacted

Data publication: ShinyHunters published the stolen data on their dark web leak site on March 28

Lateral movement: CERT-EU confirmed no lateral movement to other Commission AWS accounts was detected

Europa.eu websites remained unaffected throughout

Analysts assess this disclosure is significant on multiple dimensions. First, it confirms that TeamPCP-harvested credentials reached a major governmental institution, not just private-sector targets. Second, the involvement of ShinyHunters in the data publication raises questions about the credential distribution chain, as ShinyHunters is operationally distinct from TeamPCP's known LAPSUS$ and Vect partnerships. Third, the five-day dwell time between initial access (March 19) and detection (March 24) is consistent with the 24-hour operational tempo that Wiz documented for TeamPCP's post-compromise cloud enumeration. [https://www.wiz.io/blog/tracking-teampcp-investigating-post-compromise-attacks-seen-in-the-wild]

Recommended action: EU institutions and organizations hosted on Europa infrastructure should review CERT-EU's advisory for specific exposure indicators. Organizations with AWS credentials that may have been exposed through the Trivy compromise should treat the EC breach as confirmation that stolen credentials are being actively used against high-value targets. The CERT-EU disclosure timeline (initial access March 19, detection March 24, notification March 25, public disclosure April 2) demonstrates that even well-resourced organizations required five days to detect the intrusion…

Read the full entry: https://isc.sans.edu/diary/TeamPCP+Supply+Chain+Campaign+Update+006+CERTEU+Confirms+European+Commission+Cloud+Breach+Sportradar+Details+Emerge+and+Mandiant+Quantifies+Campaign+at+1000+SaaS+Environments/32864/

A Little Bit Pivoting: What Web Shells are Attackers Looking for? (2026.04.07)

https://isc.sans.edu/diary/A+Little+Bit+Pivoting+What+Web+Shells+are+Attackers+Looking+for/32874/

TeamPCP Supply Chain Campaign: Update 005 - First Confirmed Victim Disclosure, Post-Compromise Cloud Enumeration Documented, and Axios Attribution Narrows (2026.04.01)

https://isc.sans.edu/diary/TeamPCP+Supply+Chain+Campaign+Update+005+First+Confirmed+Victim+Disclosure+PostCompromise+Cloud+Enumeration+Documented+and+Axios+Attribution+Narrows/32856/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2026-35616 - Fortinet FortiClient EMS 7.4.5 through 7.4.6 may allow unauthorized code execution through crafted requests by an unauthenticated attacker.

Product: Fortinet FortiClient EMS

CVSS Score: 9.8

** KEV since 2026-04-06 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35616

ISC Podcast: https://isc.sans.edu/podcastdetail/9880

NVD References:

- https://fortiguard.fortinet.com/psirt/FG-IR-26-099

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35616

CVE-2026-33634 - Trivy was compromised on March 19, 2026, allowing a threat actor to replace version tags with malicious commits, potentially exposing sensitive data.

Product: Aqua Security Trivy

CVSS Score: 0

** KEV since 2026-03-26 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33634

ISC Diary: https://isc.sans.edu/diary/32864

NVD References: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33634

CVE-2026-5281 - Chromium: CVE-2026-5281 Use after free in Dawn

Product: Google Chrome

CVSS Score: 0

** KEV since 2026-04-01 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5281

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-5281

NVD References:

- https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html

- https://issues.chromium.org/issues/491518608

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-5281

CVE-2026-5288 - Google Chrome on Android prior to 146.0.7680.178 is vulnerable to a use after free in WebView, allowing a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

Product: Google Chrome

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5288

NVD References:

- https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html

- https://issues.chromium.org/issues/495507390

CVE-2026-3429 - Keycloak Account REST API vulnerability allows lower-security authenticated users to delete MFA credentials and take control of accounts.

Product: Keycloak Account REST API

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3429

ISC Podcast: https://isc.sans.edu/podcastdetail/9882

CVE-2025-30208 - Vite has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 that allows attackers to bypass file access restrictions by adding specific strings to the URL.

Product: Vite

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30208

ISC Podcast: https://isc.sans.edu/podcastdetail/9878

CVE-2026-34041 - Act version 0.2.85 and earlier unconditionally processed deprecated github actions commands, allowing for environment injection risks.

Product: Nektos Act

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34041

NVD References: https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw

CVE-2026-34060 - Ruby LSP had a vulnerability that allowed arbitrary Ruby code execution when opening a project with a malicious .vscode/settings.json file.

Product: Ruby LSP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34060

NVD References: https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93

CVE-2025-15618 - Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key generated by a weak hashing algorithm.

Product: MetaCPAN Business::OnlinePayment::StoredTransaction

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-15618

NVD References: https://www.openwall.com/lists/oss-security/2026/03/31/7

CVE-2026-32916, CVE-2026-32917, CVE-2026-33579 - OpenClaw vulnerabilities.

Product: OpenClaw

CVSS Scores: 9.4 - 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32916

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32917

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33579

NVD References:

- https://github.com/openclaw/openclaw/security/advisories/GHSA-xw77-45gv-p728

- https://github.com/openclaw/openclaw/security/advisories/GHSA-g2f6-pwvx-r275

- https://github.com/openclaw/openclaw/security/advisories/GHSA-hc5h-pmr3-3497

CVE-2026-34156 - NocoBase's Workflow Script Node in versions prior to 2.0.28 allows for Remote Code Execution by authenticated attackers through a prototype chain traversal vulnerability.

Product: NocoBase

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34156

NVD References: https://github.com/nocobase/nocobase/security/advisories/GHSA-px3p-vgh9-m57c

CVE-2026-34162 - FastGPT's version prior to 4.14.9.5 exposes an unauthenticated HTTP tools testing endpoint, allowing full access as an HTTP proxy.

Product: FastGPT

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34162

NVD References: https://github.com/labring/FastGPT/security/advisories/GHSA-w36r-f268-pwrj

CVE-2026-34532 - Parse Server is vulnerable to access control bypass prior to versions 8.6.67 and 9.7.0-alpha.11, allowing unauthenticated callers to invoke protected Cloud Functions by appending "prototype.constructor" to the function name in the URL.

Product: Parse-Server

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34532

NVD References: https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6

CVE-2026-34220 & CVE-2026-34221 - MikroORM vulnerbilities

Product: MikroORM

CVSS Scorse 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34220

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34221

NVD References:

- https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-gwhv-j974-6fxm

- https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6

CVE-2026-34235 - PJSIP's VP9 RTP unpacketizer in versions prior to 2.17 has a heap out-of-bounds read vulnerability when parsing VP9 SS data, allowing for reads beyond the allocated buffer.

Product: PJSIP VP9 RTP

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34235

NVD References: https://github.com/pjsip/pjproject/security/advisories/GHSA-pqrm-53pc-wx28

CVE-2026-30278 - FLY is FUN Aviation Navigation v35.33 is vulnerable to arbitrary file overwrite, potentially enabling attackers to execute code or expose sensitive information.

Product: FLY is FUN

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30278

CVE-2026-30282 - UXGROUP LLC Cast to TV Screen Mirroring v2.2.77 is vulnerable to arbitrary file overwrite, enabling attackers to execute arbitrary code or expose sensitive information.

Product: UXGROUP LLC Cast to TV

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30282

CVE-2026-34400 - Alerta monitoring tool had a SQL injection vulnerability in the Query string search API prior to version 9.1.0.

Product: Alerta monitoring tool

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34400

NVD References: https://github.com/alerta/alerta/security/advisories/GHSA-8prr-286p-4w7j

CVE-2026-34448 - SiYuan is vulnerable to stored XSS via malicious URLs in Attribute View mAsse fields, allowing for arbitrary OS command execution under the victim's account prior to version 3.6.2.

Product: SiYuan

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34448

NVD References: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rx4h-526q-4458

CVE-2026-34449 - SiYuan is vulnerable to Remote Code Execution (RCE) via a malicious website exploiting a permissive CORS policy, allowing a JavaScript snippet to execute with full OS access in version 3.6.2 and below.

Product: SiYuan

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34449

NVD References: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-68p4-j234-43mv

CVE-2026-39846 - SiYuan allows for remote code execution through malicious notes synced to another user prior to version 3.6.4.

Product: SiYuan Electron desktop client

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-39846

NVD References: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-phhp-9rm9-6gr2

CVE-2025-71279 - XenForo before 2.3.7 has a Passkey security issue that can be exploited by attackers to compromise authentication security.

Product: XenForo

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-71279

NVD References: https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/

CVE-2026-4370 - Juju is vulnerable to unauthorized access and potential data compromise due to improper TLS authentication in its Dqlite database cluster.

Product: Canonical Juju

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4370

NVD References: https://github.com/juju/juju/security/advisories/GHSA-gvrj-cjch-728p

CVE-2026-29014 - MetInfo CMS versions 7.9, 8.0, and 8.1 have an unauthenticated PHP code injection vulnerability, enabling remote attackers to execute malicious code and take control of the server.

Product: MetInfo CMS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-29014

CVE-2026-31027 - TOTOlink A3600R v5.9c.4959 is vulnerable to a buffer overflow via the setAppEasyWizardConfig interface, potentially allowing remote attackers to execute arbitrary code or cause denial of service.

Product: Totolink A3600R

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31027

CVE-2024-40489 & CVE-2024-43028 - Jeecg boot vulnerbilities

Product: Jeecg Boot

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-40489

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43028

CVE-2026-20093 - Cisco Integrated Management Controller (IMC) has a vulnerability in its password change functionality that could let an attacker bypass authentication and gain system access as Admin.

Product: Cisco Integrated Management Controller (IMC)

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20093

NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-bypass-AgG2BxTn

CVE-2026-20160 - Cisco Smart Software Manager On-Prem (SSM On-Prem) allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system.

Product: Cisco Smart Software Manager On-Prem

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20160

NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssm-cli-execution-cHUcWuNr

CVE-2026-30643 - DedeCMS 5.7.118 allows attackers to execute code through crafted setup tag values during a module upload.

Product: DedeCMS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30643

CVE-2026-34159 - llama.cpp is vulnerable to remote code execution due to a lack of bounds validation in deserialize_tensor() prior to version b8492, allowing unauthenticated attackers to read and write process memory via crafted GRAPH_COMPUTE messages.

Product: llama.cpp

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34159

NVD References: https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-j8rj-fmpv-wcxw

CVE-2026-34751 - Payload is vulnerable to an authentication bypass issue in the password recovery flow prior to version 3.79.1, allowing an attacker to impersonate a user who requests a password reset.

Product: Payload

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34751

NVD References: https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf

CVE-2026-34872, CVE-2026-34873, CVE-2026-34875, CVE-2026-34877 - Mbed TLS vulnerabilities.

Product: Arm Mbed TLS

CVSS Scores: 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34872

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34875

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34873

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34877

NVD References: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-serialized-data/

CVE-2026-34520 - AIOHTTP prior to version 3.13.4 allowed null bytes and control characters in response headers due to a vulnerability in the C parser.

Product: AIOHTTP asynchronous HTTP client/server framework

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34520

NVD References: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hf-3vf5-4wqf

CVE-2026-33615 - Setinfo endpoint in MB connect line mbCONNECT24/mymbCONNECT24 is susceptible to SQL Injection, allowing remote attackers to compromise integrity and availability.

Product: MB connect line mbCONNECT24/mymbCONNECT24

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33615

NVD References: https://certvde.com/de/advisories/VDE-2026-030

CVE-2026-2699 & CVE-2026-2701 - Multiple vulnerabilities in Customer Managed ShareFile Storage Zones Controller (SZC).

Product: ShareFile Storage Zones Controller (SZC)

CVSS Scores: 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2699

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2701

NVD References:

- https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26

- https://github.com/watchtowrlabs/watchTowr-vs-Progress-ShareFile-CVE-2026-2699

CVE-2026-25212 - Percona PMM before 3.7 allows attackers with pmm-admin rights to execute shell commands on the underlying operating system by exploiting a flaw in the "Add data source" feature.

Product: Percona PMM

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25212

NVD References: https://docs.percona.com/percona-monitoring-and-management/3/release-notes/3.7.0.html#authenticated-remote-code-execution-via-internal-data-source-cve-2026-25212

CVE-2026-34717 - OpenProject allows for SQL injection attacks due to lack of parameterization prior to version 17.2.3.

Product: OpenProject

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34717

NVD References: https://github.com/opf/openproject/security/advisories/GHSA-5rrm-6qmq-2364

CVE-2026-34745 - Fireshare before version 1.5.3 allows unauthenticated attackers to write arbitrary files to the server filesystem via the /api/uploadChunked/public endpoint.

Product: Fireshare

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34745

NVD References: https://github.com/ShaneIsrael/fireshare/security/advisories/GHSA-fvvp-rj8g-c7gc

CVE-2026-34758 - OneUptime prior to version 10.0.42 allows unauthenticated access to endpoints leading to SMS/Call/Email/WhatsApp abuse and unauthorized phone number purchases.

Product: OneUptime

CVSS Score: 9.1VD: https://nvd.nist.gov/vuln/detail/CVE-2026-34758

NVD References: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp

CVE-2024-14034 - Hirschmann HiEOS devices prior to version 01.1.00 are vulnerable to an authentication bypass flaw in the HTTP(S) management module, allowing unauthenticated remote attackers to gain administrative access.

Product: Hirschmann HiEOS devices

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-14034

NVD References:

- https://assets.belden.com/m/7ec5c6da25ef288/original/Belden_Security_Bulletin_BSECV-2024-02_1v0.pdf

- https://www.vulncheck.com/advisories/hirschmann-hieos-authentication-bypass-via-http-management-module

CVE-2021-4477 - Hirschmann HiLCOS OpenBAT and BAT450 products have a firewall bypass vulnerability in IPv6 IPsec deployments, enabling VPN traffic to bypass firewall rules when attackers establish IPv6 IPsec connections alongside an IPv6 Internet connection.

Product: Hirschmann HiLCOS OpenBAT and BAT450 products

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-4477

NVD References:

- https://assets.belden.com/m/5fd1a50fa50cb252/original/Belden-Security-Bulletin-BSECV-1v0-2019-09.pdf

- https://www.vulncheck.com/advisories/hirschmann-hilcos-openbat-bat450-ipv6-ipsec-firewall-bypass

CVE-2018-25236 - Hirschmann HiOS and HiSecOS products contain an authentication bypass vulnerability in the HTTP(S) management module.

Product: Hirschmann HiOS and HiSecOS products

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-25236

NVD References:

- https://assets.belden.com/m/52ecadbb5f1b0e04/original/Security-Bulletin-Web-Server-Authentication-Bypass-HiOS-HiSecOS-Hirschmann-BSECV-2018-05.pdf

- https://www.vulncheck.com/advisories/hirschmann-hios-hisecos-authentication-bypass-via-http-management

CVE-2018-25237 - Hirschmann HiSecOS devices versions prior to 05.3.03 have a buffer overflow vulnerability in the HTTPS login interface, allowing remote attackers to crash the device or execute arbitrary code with a long password.

Product: Hirschmann HiSecOS devices

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-25237

NVD References:

- https://assets.belden.com/m/2d5657b3e5d721c6/original/Security-Bulletin-RADIUS-Authentication-BSECV-2018-04.pdf

- https://www.vulncheck.com/advisories/hirschmann-hisecos-buffer-overflow-via-https-login

CVE-2017-20237 - Hirschmann Industrial HiVision versions prior to 06.0.07 and 07.0.03 are vulnerable to an authentication bypass flaw allowing unauthenticated attackers to execute commands with admin privileges.

Product: Hirschmann Industrial HiVision

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20237

NVD References:

- https://assets.belden.com/m/1cb01df62f1f31e3/original/Unauthenticated-Remote-Code-Execution-Security-Bulletin-Hirschmann-BSECV-2017-02.pdf

- https://www.vulncheck.com/advisories/hirschmann-industrial-hivision-authentication-bypass-remote-code-execution

CVE-2026-31818 - Budibase's REST datasource connector in versions prior to 3.33.4 is vulnerable to server-side request forgery due to an ineffective SSRF protection mechanism.

Product: Budibase REST datasource connector

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31818

NVD References: https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45

CVE-2026-35216 - Budibase allows unauthenticated attackers to achieve Remote Code Execution prior to version 3.33.4 via a Bash step in an automation triggered through the public webhook endpoint, running as root inside the container.

Product: Budibase platform

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35216

NVD References: https://github.com/Budibase/budibase/security/advisories/GHSA-fcm4-4pj2-m5hf

CVE-2026-28373 - The Stackfield Desktop App before 1.10.2 for macOS and Windows is vulnerable to a path traversal issue, allowing a malicious export to write arbitrary content to any path on the victim's filesystem.

Product: Stackfield Desktop App

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-28373

NVD References:

- https://www.rcesecurity.com/2026/03/stackfield-desktop-app-rce-via-path-traversal-and-arbitrary-file-write-cve-2026-28373/

- https://www.rcesecurity.com/advisories/cve-2026-28373/

CVE-2026-28798 - ZimaOS version 1.5.2 and earlier exposes a proxy endpoint that can be abused to gain unauthenticated access to sensitive local services.

Product: ZimaOS

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-28798

NVD References: https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-vqqj-f979-8c8m

CVE-2017-20234 - GarrettCom Magnum 6K and 10K managed switches have an authentication bypass vulnerability that enables unauthenticated attackers to gain unauthorized access by exploiting a hardcoded string in the authentication mechanism.

Product: GarrettCom Magnum 6K and 10K managed switches

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20234

NVD References:

- https://assets.belden.com/m/114be964b4651983/original/Security-Bulletin-MNS-6K-10K-GarrettCom-BSECV-2017-08.pdf

- https://www.vulncheck.com/advisories/garrettcom-magnum-6k-and-10k-authentication-bypass-via-hardcoded-string

CVE-2017-20235 & CVE-2017-20236 - Vulnerabilities in ProSoft Technology ICX35-HWC version 1.3 and prior cellular gateways.

Product: ProSoft Technology ICX35-HWC

CVSS Scores: 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20235

NVD References:

- https://assets.belden.com/m/1281cac2c9e90abf/original/Security-Bulletin-Authentication-Security-ProSoft-ICX35-BSECV-2017-09.pdf

- https://www.vulncheck.com/advisories/prosoft-technology-icx35-hwc-authentication-bypass

- https://assets.belden.com/m/1116a05ab702b2ba/original/Security-Bulletin-User-Interface-ProSoft-ICX35-BSECV-2017-10.pdf

- https://www.vulncheck.com/advisories/prosoft-technology-icx35-hwc-command-injection-via-web-interface

CVE-2026-34612 - Kestra prior to version 1.3.7 is vulnerable to SQL Injection leading to Remote Code Execution in the "GET /api/v1/main/flows/search" endpoint, allowing attackers to run arbitrary OS commands on the host through a crafted link.

Product: Kestra

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34612

NVD References: https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x

CVE-2026-34934, CVE-2026-34935, CVE-2026-34938, CVE-2026-34952, CVE-2026-34953, CVE-2026-39305 - Multiple vulnerabilities in PraisonAI

Product: PraisonAI

CVSS Scores: 9.0 - 10.0

NVD References:

- https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9cq8-3v94-434g

- https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9gm9-c8mq-vq7m

- https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6vh2-h83c-9294

- https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfh6-vr3j-qc3g

- https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-98f9-fqg5-hvq5

- https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-jfxc-v5g9-38xr

CVE-2016-20052 - Snews CMS 1.7 is vulnerable to unrestricted file uploads, allowing unauthenticated attackers to upload arbitrary files, including malicious PHP executables, to execute remote code.

Product: Snews CMS 1.7

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-20052

NVD References: https://www.vulncheck.com/advisories/snews-cms-unrestricted-file-upload-via-snews-files

CVE-2018-25254 - NICO-FTP 3.0.1.19 is vulnerable to a remote code execution via crafted FTP commands that exploit a buffer overflow in its exception handler.

Product: NICO-FTP 3.0.1.19

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-25254

NVD References: https://www.vulncheck.com/advisories/nico-ftp-buffer-overflow-seh

CVE-2019-25687 - Pegasus CMS 1.0 is vulnerable to remote code execution via the extra_fields.php plugin, allowing unauthenticated attackers to execute arbitrary commands and obtain an interactive shell.

Product: Pegasus CMS Pegasus CMS 1.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25687

NVD References: https://www.vulncheck.com/advisories/pegasus-cms-remote-code-execution-via-extra-fields-php

CVE-2026-26026 - GLPI, prior to version 11.0.6, allows an administrator to perform template injections leading to remote code execution.

Product: GLPI

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26026

NVD References: https://github.com/glpi-project/glpi/security/advisories/GHSA-2c98-648q-h27h

CVE-2026-34841 - Bruno, an open source IDE for API testing, was vulnerable to a supply chain attack involving compromised versions of the axios npm package prior to 3.2.1, potentially affecting users of @usebruno/cli who installed between 00:21 UTC and ~03:30 UTC on March 31, 2026 - upgrade to 3.2.1 to protect against a deployed Remote Access Trojan (RAT).

Product: Bruno

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34841

NVD References: https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g

CVE-2026-34976 - Dgraph allows unauthenticated attackers to overwrite the entire database and perform SSRF due to a missing authorization configuration in the restoreTenant admin mutation.

Product: Dgraph

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34976

NVD References: https://github.com/dgraph-io/dgraph/security/advisories/GHSA-p5rh-vmhp-gvcw

CVE-2026-35030 - LiteLLM is vulnerable to an attack where an unauthenticated attacker can craft a token to inherit a legitimate user's identity and permissions.

Product: LiteLLM

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35030

NVD References: https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6

CVE-2026-35050 - text-generation-webui allows users to save extension settings in "py" format in the app root directory, leading to potential file overwrite vulnerabilities such as the "download-model.py" file.

Product: text-generation-webui

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35050

NVD References: https://github.com/oobabooga/text-generation-webui/security/advisories/GHSA-jg96-p5p6-q3cv

CVE-2026-35171 - Kedro allows remote code execution through unsafe use of logging configuration.

Product: Kedro

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35171

NVD References: https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r

CVE-2025-58349 & CVE-2025-54328 - Vulnerabilities in Samsung Mobile Processor, Wearable Processor, and Modem Exynos.

Product: Samsung Exynos 990

CVSS Scores: 9.1 - 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58349

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54328

NVD References:

- https://semiconductor.samsung.com/support/quality-support/product-security-updates/

- https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58349/

- https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54328/

CVE-2026-35022 - Anthropic Claude Code CLI and Claude Agent SDK are vulnerable to OS command injection in authentication helper execution due to lack of input validation, allowing attackers to execute arbitrary commands and steal credentials.

Product: Anthropic Claude Code CLI and Claude Agent SDK

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35022

NVD References:

- https://phoenix.security/critical-ci-cd-nightmare-3-command-injection-flaws-in-claude-code-cli-allow-credential-exfiltration/

- https://www.vulncheck.com/advisories/anthropic-claude-code-agent-sdk-os-command-injection-via-authentication-helper

CVE-2026-35459 - pyLoad, a free and open-source download manager written in Python, is vulnerable to server-side request forgery (SSRF) in versions 0.5.0b3.dev96 and earlier, allowing authenticated users with ADD permission to bypass IP validation and redirect to internal addresses.

Product: pyLoad

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35459

NVD References: https://github.com/pyload/pyload/security/advisories/GHSA-7gvf-3w72-p2pg

CVE-2021-4473 - Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint.

Product: Tianxin Internet Behavior Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-4473

NVD References: https://www.vulncheck.com/advisories/tianxin-internet-behavior-management-system-command-injection-via-toquery-php

CVE-2026-22679 - Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 are vulnerable to unauthenticated remote code execution, allowing attackers to execute arbitrary commands through exposed debug functionality.

Product: Weaver (Fanwei) E-cology

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22679

NVD References: https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-rce-via-dubboapi-debug-endpoint

CVE-2026-5731, CVE-2026-5734, CVE-2026-5735 - Vulnerabilities in Mozilla Firefox and Thunderbird.

Product: Mozilla Firefox ESR, Thunderbird ESR, Firefox, Thunderbird

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5731

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5734

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5735

NVD References:

- https://www.mozilla.org/security/advisories/mfsa2026-25/

- https://www.mozilla.org/security/advisories/mfsa2026-26/

- https://www.mozilla.org/security/advisories/mfsa2026-27/

- https://www.mozilla.org/security/advisories/mfsa2026-28/

- https://www.mozilla.org/security/advisories/mfsa2026-29/

CVE-2026-20889, CVE-2026-20911, CVE-2026-21413 - Heap-based buffer overflow vulnerabilities in LibRaw.

Product: LibRaw

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20889

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20911

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21413

NVD References:

- https://talosintelligence.com/vulnerability_reports/TALOS-2026-2358

- https://talosintelligence.com/vulnerability_reports/TALOS-2026-2330

- https://talosintelligence.com/vulnerability_reports/TALOS-2026-2331

CVE-2026-35490 - changedetection.io in versions prior to 0.54.8 allows for potential authentication bypass due to a decorator misplacement in Flask routes.

Product: changedetection.io web page change detection tool

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35490

NVD References: https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-jmrh-xmgh-x9j4

CVE-2026-23696 - Windmill CE and EE versions 1.276.0 through 1.603.2 allow authenticated attackers to inject SQL through the owner parameter, leading to sensitive data exposure and potential arbitrary code execution.

Product: Windmill CE and EE versions

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-23696

NVD References: https://www.vulncheck.com/advisories/windmill-file-ownership-handling-sqli-rce

CVE-2026-4631 - Cockpit's remote login feature allows an attacker to execute code on the host without valid credentials by injecting malicious SSH options or shell commands.

Product: Cockpit remote login feature

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4631

NVD References:

- https://access.redhat.com/security/cve/CVE-2026-4631

- https://bugzilla.redhat.com/show_bug.cgi?id=2450246

CVE-2026-39847 - Emmett is vulnerable to path traversal attacks in versions prior to 2.8.1, allowing attackers to access arbitrary files outside the assets directory.

Product: Emmett Python web framework

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-39847

NVD References: https://github.com/emmett-framework/emmett/security/advisories/GHSA-pr46-2v3c-5356

CVE-2026-3300 - The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection due to improper escaping in the Calculation Addon's process_filter() function.

Product: Everest Forms Pro WordPress

Active Installations: Unknown. Update to version 1.9.13, or a newer patched version.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3300

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/389c0b89-e408-4ad5-9723-a16b745771f0?source=cve

CVE-2025-15484 - The Order Notification for WooCommerce WordPress plugin before 3.6.3 allows unauthenticated users to gain full read/write access to store resources.

Product: WooCommerce Order Notification for WooCommerce WordPress plugin

Active Installations: 900+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-15484

NVD References: https://wpscan.com/vulnerability/ee9f1c0c-86bb-4922-9eb5-8aae78003eff/

CVE-2026-0740 - The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads up to version 3.3.26, allowing unauthenticated attackers to upload malicious files and potentially execute remote code on the server.

Product: Ninja Forms File Uploads plugin for WordPress

Active Installations: Unknown. Update to version 3.3.27, or a newer patched version.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0740

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/0b606ded-ab50-486a-9337-97ee9f452f12?source=cve

NO CUSTOMER ACTION REQUIRED TO ADRESS THE FOLLOWING VULNERABILITIES

CVE-2026-26135 - Azure Custom Locations Resource Provider (RP) Elevation of Privilege Vulnerability

Product: Microsoft Azure Custom Locations Resource Provider

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26135

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26135

CVE-2026-32211 - Azure MCP Server Information Disclosure Vulnerability

Product: Microsoft Azure Web Apps

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32211

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32211

CVE-2026-32213 - Azure AI Foundry Elevation of Privilege Vulnerability

Product: Microsoft Azure Ai Foundry

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32213

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32213

CVE-2026-33105 - Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability

Product: Microsoft Azure Kubernetes Service

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33105

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33105

CVE-2026-33107 - Azure Databricks Elevation of Privilege Vulnerability

Product: Microsoft Azure Databricks

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33107

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33107

CVE-2026-32186 - Microsoft Bing Elevation of Privilege Vulnerability

Product: Microsoft Bing

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32186

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32186