The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

[Guest Diary] Beyond Cryptojacking: Telegram tdata as a Credential Harvesting Vector, Lessons from a Honeypot Incident

Published: 2026-04-22

Last Updated: 2026-04-22 00:03:04 UTC

by L. Carty, SANS.edu BACS Student (Version: 1)

Introduction

A few weeks ago, my honeypot logged an incident that changed how I think about modern attacks. A threat actor broke into my system using weak SSH credentials and immediately started running commands. What started as a routine resource-hijacking attempt was followed by credential harvesting targeting Telegram Desktop session data.

This incident isn't just another story about cryptocurrency mining malware. It's a window into how modern threat actors are evolving their tactics - chaining initial access with credential theft to enable persistent, multi-layered exploitation. The commands I observed tell a story of methodical reconnaissance, from checking for competing miners to hunting for Telegram's tdata directory.

In this post, I'll walk through what I found, explain why the tdata folder is so valuable to threat actors, and share practical ways to protect it and manage your sessions.

The Attack Chain: A Conceptual Overview

Before diving into the actual commands, let's establish what we're looking at. Modern attacks rarely consist of a single malicious action and instead follow a progression. Below is the attack chain and corresponding MITRE ATT&CK Techniques.

1. Initial Access – Weak SSH credentials, phishing, or vulnerabilities /T1110/001/

1. Reconnaissance – System enumeration, identifying valuable targets /T1082/ /T1083/

3. Credential Harvesting – Extracting session tokens, passwords, or authentication data /T1555/ /T1005/

4. Account Takeover – Using stolen credentials for further access /T1078/

5. Exploitation – Social engineering, lateral movement, or monetization /T1041/

What made this particular attack notable was the explicit targeting of Telegram's local session data. Threat actors aren't just after CPU cycles anymore—they're after persistent access through compromised accounts that can be leveraged for ongoing exploitation.

The Evidence: Live from the Honeypot

The following commands were captured in the honeypot's SSH logs immediately after the threat actor gained access. They show the threat actor’s intent to map the system, check for competition, and locate the *tdata* directory ...

Read the full entry: https://isc.sans.edu/diary/Guest+Diary+Beyond+Cryptojacking+Telegram+tdata+as+a+Credential+Harvesting+Vector+Lessons+from+a+Honeypot+Incident/32888/

A .WAV With A Payload

Published: 2026-04-21

Last Updated: 2026-04-21 07:14:56 UTC

by Didier Stevens (Version: 1)

There have been reports of threat actors using a .wav file as a vector for malware ...

Read the full entry: https://isc.sans.edu/diary/A+WAV+With+A+Payload/32910/

Handling the CVE Flood With EPSS

Published: 2026-04-20

Last Updated: 2026-04-20 06:43:22 UTC

by Xavier Mertens (Version: 1)

Every morning, security people around the world face the same ritual: opening their vulnerability feed to find a lot of new CVE entries that appeared overnight. Over the past decade, this flood has become a defining challenge of modern defensive security. Some numbers:

* CVEs published in 2023: 29K+

* CVEs published in 2024: 40K+

* New CVEs per day: ~110

* Exploited in the wild: ~5-7%

The root cause of this explosion is structural: the security research community has grown dramatically, bug bounty programs, automated scanning has industrialised vulnerability discovery, and software supply chains expose orders of magnitude more attack surface than legacy monolithic architectures ever did. And don’t forget AI used more and more to find vulnerabilities!

Every CVE receives a CVSS (Common Vulnerability Scoring System) that is a score between 0 and 10 attempts to express the intrinsic severity of a vulnerability. This score is based on core questions like: How bad it is if exploited? How complex exploitation is? What privileges are required? And what impact on confidentiality, integrity, and availability to expect?

CVSS is a well-designed standard, and is useful. But it remains challenging to perform the initial triage: Which CVEs deserve to be investigated first? A CVSS 9.8 that sits dormant in an obscure software is less dangerous in practice than a CVSS 6.5 actively chained in ransomware campaigns!

The Exploit Prediction Scoring System (EPSS) was developed by FIRST (Forum of Incident Response and Security Teams) and has gone through successive iterations since its public launch in 2021, with EPSS v3 released in March 2023 as the current production model. Its design philosophy is fundamentally different from CVSS: instead of rating theoretical impact, EPSS answers a probabilistic question. We already talked about EPSS a long time ago but it does get enough attention from the community (IMHO)

How does it work? ...

Read the full entry: https://isc.sans.edu/diary/Handling+the+CVE+Flood+With+EPSS/32914/

Lumma Stealer infection with Sectop RAT (ArechClient2) (2026.04.17)

https://isc.sans.edu/diary/Lumma+Stealer+infection+with+Sectop+RAT+ArechClient2/32904/

[Guest Diary] Compromised DVRs and Finding Them in the Wild (2026.04.16)

https://isc.sans.edu/diary/Guest+Diary+Compromised+DVRs+and+Finding+Them+in+the+Wild/32886/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2026-32201 - Microsoft SharePoint Server Spoofing Vulnerability

Product: Microsoft Sharepoint Server

CVSS Score: 6.5

** KEV since 2026-04-14 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32201

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32201

NVD References: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-32201

CVE-2025-32975 - Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover. Product: Quest KACE Systems Management Appliance (SMA) CVSS Score: 10.0 ** KEV since 2026-04-20 ** NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32975 ISC Diary: ISC Podcast: https://isc.sans.edu/podcastdetail/ NVD References:

- https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32975

CVE-2026-39808 - Fortinet FortiSandbox is susceptible to unauthorized code execution through an OS command injection in versions 4.4.0 through 4.4.8.

Product: Fortinet FortiSandbox

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-39808

ISC Podcast: https://isc.sans.edu/podcastdetail/9898

NVD References: https://fortiguard.fortinet.com/psirt/FG-IR-26-100

CVE-2026-39813 - Fortinet FortiSandbox is vulnerable to a path traversal flaw allowing an attacker to escalate privilege by manipulating file paths.

Product: Fortinet FortiSandbox

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-39813

NVD References: https://fortiguard.fortinet.com/psirt/FG-IR-26-112

CVE-2026-40175 - Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Product: Axios

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40175

ISC Podcast: https://isc.sans.edu/podcastdetail/9890

NVD References: https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx

CVE-2026-20180 & CVE-2026-20186 - Cisco Identity Services Engine (ISE) is vulnerable to remote authenticated attackers executing arbitrary commands on the underlying operating system by exploiting insufficient validation of user-supplied input.

Product: Cisco Identity Services Engine (ISE)

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20180

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20186

ISC Podcast: https://isc.sans.edu/podcastdetail/9896

NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-4fverepv

CVE-2026-20184 - Cisco Webex Services had a vulnerability in SSO integration with Control Hub that allowed unauthenticated attackers to impersonate any user by exploiting improper certificate validation.

Product: Cisco Webex Services

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20184

ISC Podcast: https://isc.sans.edu/podcastdetail/9896

NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-cui-cert-8jSZYhWL

CVE-2026-26149 - Microsoft Power Apps Spoofing Vulnerability

Product: Microsoft Power Apps

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26149

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26149

CVE-2026-33824 - Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability

Product: Microsoft Windows 10 1607

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33824

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33824

CVE-2026-5189 - Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 contains hard-coded credentials, allowing unauthenticated attackers to gain unauthorized access to the internal database and execute arbitrary OS commands.

Product: Sonatype Nexus Repository Manager

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5189

ISC Podcast: https://isc.sans.edu/podcastdetail/9896

NVD References: https://support.sonatype.com/hc/en-us/articles/50817138825491

CVE-2026-40372 - ASP.NET Core Elevation of Privilege Vulnerability

Product: ASP.NET Core Microsoft

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40372

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372

CVE-2026-27143 - A flaw was found in the cmd/compile package in the Go standard library. The compiler fails to correctly check for integer overflow or underflow in arithmetic operations involving loop induction variables. As a result, the compiler allows invalid memory indexing to occur at runtime, potentially leading to memory corruption.

Product: cmd/compile package in the Go standard library

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27143

References: https://access.redhat.com/security/cve/cve-2026-27143

CVE-2026-27140 - A flaw was found in the Go programming language (golang) and its command-line tool (cmd/go). A remote attacker could exploit this during the build process by crafting malicious SWIG (Simplified Wrapper and Interface Generator) file names that contain "cgo" and specific payloads. This could lead to code smuggling and arbitrary code execution, bypassing trust mechanisms and allowing the attacker to run unauthorized code.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27140

References: https://access.redhat.com/security/cve/cve-2026-27140

CVE-2026-27681 - SAP Business Planning and Consolidation and SAP Business Warehouse are vulnerable to SQL injection attacks, allowing unauthorized users to access, alter, and delete database information, compromising system security.

Product: SAP Business Planning and Consolidation

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27681

CVE-2026-6264 - Talend JobServer and Talend Runtime are vulnerable to unauthenticated remote code execution via the JMX monitoring port, with mitigation options available for both products.

Product: Talend JobServer

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-6264

NVD References: https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fix-for-the-Qlik-Talend-JobServer-and-Talend/tac-p/2541974

CVE-2026-40288, CVE-2026-40289, CVE-2026-40313, CVE-2026-40315 - Multiple vulnerabilities in PraisonAI.

Product: PraisonAI

CVSS Score: 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40288

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40289

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40313

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40315

NVD References:

- https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-vc46-vw85-3wvm

- https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8x8f-54wf-vv92

- https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3959-6v5q-45q2

- https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x783-xp3g-mqhp

- https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens

CVE-2026-31908 - Apache APISIX is vulnerable to header injection, allowing attackers to exploit the forward-auth plugin configuration to inject malicious headers, affecting versions 2.12.0 through 3.15.0.

Product: Apache APISIX

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31908

NVD References: https://lists.apache.org/thread/sob643s5lztov7x579j8o0c444t36n6b

CVE-2026-25917 - Apache Airflow allows Dag Authors to craft a malicious XCom payload, potentially leading to arbitrary code execution in the webserver context.

Product: Apache Airflow

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25917

NVD References: https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po

CVE-2026-33557 - Apache Kafka has a security vulnerability where it accepts any JWT token without validation, allowing an attacker to generate a token with any user.

Product: Apache Kafka

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33557

NVD References: https://lists.apache.org/thread/v57o00hm6yszdpdnvqx2ss4561yh953h

CVE-2026-31049 - Hostbill v.2025-11-24 and 2025-12-01 versions enable remote attackers to execute arbitrary code and escalate privileges through the CSV registration field.

Product: Hostbill v.2025-11-24 and 2025-12-01

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31049

CVE-2025-61260 - OpenAI Codex CLI v0.23.0 and before allows code execution via malicious MCP configuration files when running the codex command within a compromised repository.

Product: OpenAI Codex CLI

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61260

NVD References: https://research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerability/

CVE-2025-70023 - An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6.

Product: transloadit uppy

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70023

CVE-2026-27243, CVE-2026-27245, CVE-2026-27246, CVE-2026-27303, CVE-2026-34615 - Multiple vulnerabilities in Adobe Connect versions 2025.3, 12.10 and earlier.

Product: Adobe Connect

CVSS Scores: 9.3 - 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27243 (cross-site scripting)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27245 (cross-site scripting)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27246 (cross-site scripting)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27303 (deserialization of untrusted data)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34615 (deserialization of untrusted data)

NVD References: https://helpx.adobe.com/security/products/connect/apsb26-37.html

CVE-2026-27304 - ColdFusion versions 2023.18, 2025.6 and earlier are vulnerable to an Improper Input Validation issue that allows for arbitrary code execution without user interaction.

Product: Adobe ColdFusion

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27304

NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html

CVE-2026-5752 - Terrarium is vulnerable to sandbox escape, allowing attackers to execute arbitrary code with root privileges via JavaScript prototype chain traversal.

Product: Terrarium

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5752

NVD References: https://www.kb.cert.org/vuls/id/414811

CVE-2026-34457 - OAuth2 Proxy prior to version 7.15.2 is vulnerable to an authentication bypass in certain configurations, allowing unauthenticated remote attackers to access protected resources.

Product: OAuth2 Proxy

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34457

NVD References: https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v

CVE-2026-35031 - Jellyfin, an open source self hosted media server, had a vulnerability chain in versions prior to 10.11.7 that allowed for arbitrary file write and ultimately remote code execution as root via ld.so.preload.

Product: Jellyfin self hosted media server

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35031

NVD References: https://github.com/jellyfin/jellyfin/security/advisories/GHSA-j2hf-x4q5-47j3

CVE-2026-39399 - NuGet Gallery is vulnerable to a remote code execution and arbitrary blob write attack due to insufficient input validation in the handling of .nuspec files within NuGet packages.

Product: NuGet Gallery

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-39399

NVD References: https://github.com/NuGet/NuGetGallery/security/advisories/GHSA-9r3h-v4hx-rhfr

CVE-2026-39842 - OpenRemote, an open-source IoT platform, is vulnerable to two expression injection flaws in versions 1.21.0 and below, allowing attackers to execute arbitrary code on the server through the insecure JavaScript rules engine.

Product: OpenRemote IoT platform

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-39842

NVD References: https://github.com/openremote/openremote/security/advisories/GHSA-7mqr-33rv-p3mp

CVE-2026-33807 - @fastify/express v4.0.4 and earlier has a path handling bug that doubles middleware paths when inherited by child plugins, potentially leading to a full bypass of security controls without any special configuration or request manipulation necessary.

Product: Fastify @fastify/express

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33807

NVD References: https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c

CVE-2026-6270 - @fastify/middie versions 9.3.1 and earlier fail to inherit parent authentication middleware in child plugin scopes, allowing unauthenticated requests to bypass security checks, fixed in version 9.3.2.

Product: Fastify @fastify/middie

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-6270

NVD References:

- https://cna.openjsf.org/security-advisories.html

- https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c

CVE-2026-30625 - Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality, allowing users to define tasks with arbitrary command and args values that may lead to remote code execution with Upsonic process privileges.

Product: Upsonic MCP Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30625

NVD References: https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/

CVE-2026-20147 - Cisco ISE and Cisco ISE-PIC have a vulnerability that could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.

Product: Cisco ISE and ISE-PIC

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20147

NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-traversal-8bYndVrZ

CVE-2025-41118 - Pyroscope, when using Tencent Cloud Object Storage (COS) as its storage backend, exposes the secret_key configuration value through its API, requiring direct access for exploitation.

Product: Grafana Pyroscope

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41118

NVD References: https://grafana.com/security/security-advisories/cve-2025-41118

CVE-2026-40173 - Dgraph has an unauthenticated credential disclosure vulnerability in versions 25.3.1 and prior, allowing attackers to retrieve admin tokens and gain unauthorized privileged administrative access.

Product: Dgraph

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40173

NVD References: https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p

CVE-2026-6388 - ArgoCD Image Updater is prone to a vulnerability that enables an attacker in a multi-tenant environment to bypass namespace boundaries and trigger unauthorized image updates.

Product: ArgoCD Image Updater

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-6388

NVD References: https://access.redhat.com/security/cve/CVE-2026-6388

CVE-2026-40959 - Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod.

Product: Luanti 5

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40959

NVD References: https://github.com/luanti-org/luanti/security/advisories/GHSA-g596-mf82-w8c3

CVE-2026-40504 - Creolabs Gravity before 0.9.6 is vulnerable to a heap buffer overflow, allowing attackers to execute arbitrary code through crafted scripts with string literals.

Product: Creolabs Gravity

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40504

NVD References: https://www.vulncheck.com/advisories/creolabs-gravity-heap-buffer-overflow-via-gravity-vm-exec

CVE-2026-6350 - MailGates/MailAudit developed by Openfind is vulnerable to a Stack-based Buffer Overflow, enabling unauthorized remote hackers to take control of the program's operations and run malicious code.

Product: MailGates/MailAudit

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-6350

NVD References: https://www.twcert.org.tw/en/cp-139-10843-9ff91-2.html

CVE-2026-31843 - The goodoneuz/pay-uz Laravel package (<= 2.2.24) has a critical vulnerability in the /payment/api/editable/update endpoint allowing unauthenticated attackers to overwrite PHP payment hook files, leading to remote code execution.

Product: goodoneuz pay-uz Laravel package

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31843

CVE-2026-33082 & CVE-2026-33122 - DataEase SQL injection vulnerabilities.

Product: DataEase

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33082

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33122

NVD References:

- https://github.com/dataease/dataease/security/advisories/GHSA-xxpw-2c8q-g693

- https://github.com/dataease/dataease/security/advisories/GHSA-28vg-3hv7-w92f

CVE-2026-40322 - SiYuan allows for arbitrary code execution through stored XSS in Mermaid diagrams in versions 3.6.3 and below, which has been fixed in version 3.6.4.

Product: SiYuan

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40322

NVD References: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x63q-3rcj-hhp5

CVE-2026-34018 - CubeCart is vulnerable to SQL injection prior to version 6.6.0, enabling attackers to execute arbitrary SQL commands.

Product: CubeCart

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34018

CVE-2026-6284 - Horner Automation Cscape and XL4, XL7 PLC allows attacker with network access to brute force discover passwords due to limited complexity and lack of input limiters, leading to unauthorized system and service access.

Product: Horner Automation Cscape and XL4, XL7 PLC

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-6284

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-02

CVE-2026-40525 - OpenViking is vulnerable to an authentication bypass flaw that allows remote attackers to exploit privileged bot-control functionalities when the api_key configuration value is unset or empty.

Product: OpenViking

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40525

NVD References: https://www.vulncheck.com/advisories/openviking-authentication-bypass-via-vikingbot-openapi

CVE-2026-35546 - Anviz CX2 Lite and CX7 allow unauthenticated firmware upload, enabling code execution and reverse shell attacks.

Product: Anviz CX2 Lite and CX7

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35546

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03

CVE-2026-40342 - Firebird, an open-source relational database management system, allows an authenticated user with CREATE FUNCTION privileges to execute arbitrary code as the server's OS account due to a path traversal vulnerability in versions prior to 5.0.4, 4.0.7, and 3.0.14.

Product: Firebird open-source relational database management system

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40342

NVD References: https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-7pxc-h3rv-r257

CVE-2026-40258 - The Gramps Web API is vulnerable to a path traversal (Zip Slip) in versions 1.6.0 through 3.11.0, allowing an authenticated user with owner-level privileges to write arbitrary files outside the intended temporary extraction directory on the server's local filesystem.

Product: Gramps Web API

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40258

NVD References: https://github.com/gramps-project/gramps-web-api/security/advisories/GHSA-m5gr-86j6-99jp

CVE-2026-40351 - FastGPT prior to version 4.14.9.5 allows unauthenticated attackers to bypass password checks and login as any user through a NoSQL injection vulnerability in the password-based login endpoint.

Product: FastGPT AI Agent building platform

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40351

CVE-2026-40477 & CVE-2026-40478 - Improper neutralization of special elements vulnerabilities in Thymeleaf version 3.1.3.RELEASE.

Product: Thymeleaf

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40477 (improper neutralization of special elements)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40478

NVD References:

- https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr

- https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79

CVE-2026-40324 - Hot Chocolate is vulnerable to a `StackOverflowException` due to a lack of recursion depth limit in versions prior to 12.22.7, 13.9.16, 14.3.1, and 15.1.14, which can be triggered by crafted GraphQL documents with deeply nested structures, causing immediate termination of the worker process without any chance for interception or mitigation.

Product: Hot Chocolate

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40324

NVD References: https://github.com/ChilliCream/graphql-platform/security/advisories/GHSA-qr3m-xw4c-jqw3

CVE-2026-40317 & CVE-2026-40572 - Vulnerabilities in NovumOS prior to version 0.24.

Product: NovumOS

CVSS Scores: 9.0 - 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40317

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40572

NVD References:

- https://github.com/MinecAnton209/NovumOS/security/advisories/GHSA-xjx3-gjh9-45fm

- https://github.com/MinecAnton209/NovumOS/security/advisories/GHSA-rg7m-6vh7-f4v2

CVE-2026-32956 - SD-330AC and AMC Manager provided by silex technology, Inc. are vulnerable to a heap-based buffer overflow when processing redirect URLs, allowing for arbitrary code execution.

Product: Silex SD-330AC and AMC Manager

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32956

NVD References: https://www.silex.jp/support/security-advisories/en/2026-001

CVE-2026-5963 & CVE-2026-5964 - SQL injection vulnerabilities in EasyFlow .NET by Digiwin.

Product: Digiwin EasyFlow .NET

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5963

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5964

NVD References: https://www.twcert.org.tw/en/cp-139-10832-05f3a-2.html

CVE-2026-5760 - SGLang's reranking endpoint (/v1/rerank) is vulnerable to Remote Code Execution via malicious tokenizer.chat_template in unsandboxed jinja2.Environment().

Product: SGLang reranking endpoint

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5760

NVD References: https://www.kb.cert.org/vuls/id/915947

CVE-2026-24467 - OpenAEV allows for a reliable account takeover due to multiple security weaknesses in its password reset implementation.

Product: OpenAEV

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24467

NVD References: https://github.com/OpenAEV-Platform/openaev/security/advisories/GHSA-vcjx-vw28-25p2

CVE-2026-30269 - Doorman v0.1.0 and v1.0.2 allows authenticated users to update their own accounts to non-admin roles, leading to potential privilege escalation.

Product: Doorman v0.1.0 and v1.0.2

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30269

CVE-2026-29649 - NEMU's implementation flaw in RISC-V Hypervisor CSR handling can allow machine-mode writes to menvcfg to inadvertently modify the hypervisor's environment configuration, potentially leading to virtualization misconfigurations and possible denial of service.

Product: NEMU RISC-V Hypervisor

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-29649

CVE-2026-32604 & CVE-2026-32613 - Vulnerabilities in Spinnaker versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2.

Product: Spinnaker

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32604

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32613

NVD References:

- https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r

- https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v6

CVE-2026-5450 - GNU C Library versions 2.7 to 2.43 may experience a heap buffer overflow when using %mc with a format width greater than 1024 in the scanf family of functions.

Product: GNU C Library

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5450

CVE-2026-41329 - OpenClaw before 2026.3.31 is vulnerable to a sandbox bypass allowing attackers to escalate privileges by manipulating parameters and context inheritance.

Product: OpenClaw before 2026.3.31

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-41329

NVD References: https://www.vulncheck.com/advisories/openclaw-sandbox-bypass-via-heartbeat-context-inheritance-and-senderisowner-escalation

CVE-2026-5965 - NewSoftOA, developed by NewSoft, is vulnerable to OS Command Injection, enabling local attackers to inject and execute arbitrary OS commands without authentication.

Product: NewSoftOA

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5965

NVD References: https://www.twcert.org.tw/en/cp-139-10857-c46f7-2.html

CVE-2026-6748 - Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Product: Mozilla Firefox

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-6748

NVD References:

- https://www.mozilla.org/security/advisories/mfsa2026-30/

- https://www.mozilla.org/security/advisories/mfsa2026-32/

CVE-2026-6768 - Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150.

Product: Mozilla Firefox

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-6768

NVD References: https://www.mozilla.org/security/advisories/mfsa2026-30/

CVE-2026-6771 - Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Product: Mozilla Firefox

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-6771

NVD References:

- https://www.mozilla.org/security/advisories/mfsa2026-30/

- https://www.mozilla.org/security/advisories/mfsa2026-32/

CVE-2017-20230 - Storable versions before 3.05 for Perl is vulnerable to a stack overflow due to a mismatch in how class name lengths are handled.

Product: Storable for Perl

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20230

References: https://www.openwall.com/lists/oss-security/2026/04/21/5

CVE-2025-15638 - Net::Dropbear versions before 0.14 for Perl contain a vulnerable version of libtomcrypt, exposing users to CVE-2016-6129 and CVE-2018-12437.

Product: Net Dropbear

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-15638

CVE-2026-40050 - LogScale has a critical unauthenticated path traversal vulnerability that can allow remote attackers to read files from the server filesystem.

Product: LogScale

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40050

NVD References: https://www.crowdstrike.com/en-us/security-advisories/cve-2026-40050/

CVE-2026-5652 - Crafty Controller has an insecure direct object reference vulnerability in its Users API component, allowing authenticated attackers to modify user data.

Product: Crafty Controller

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5652

CVE-2026-40884 & CVE-2026-40903 - Vulnerabilities in Goshs is a SimpleHTTPServer.

Product: Goshs

CVSS Scores: 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40884

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40903

NVD References:

- https://github.com/patrickhener/goshs/security/advisories/GHSA-c29w-qq4m-2gcv

- https://github.com/patrickhener/goshs/security/advisories/GHSA-hpxj-9fgp-fhhf

CVE-2026-33518 & CVE-2026-33519 - Incorrect privilege assignment vulnerabilities in Esri Portal for ArcGIS.

Product: Esri Portal for ArcGIS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33518

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33519

NVD References: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin

CVE-2026-34275 - Oracle Advanced Inbound Telephony in Oracle E-Business Suite (Setup and Administration component) versions 12.2.3-12.2.15 is vulnerable to an easily exploitable attack allowing unauthenticated attackers to compromise the system and potentially take over.

Product: Oracle E-Business Suite

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34275

NVD References: https://www.oracle.com/security-alerts/cpuapr2026.html

CVE-2026-34279 - Oracle Enterprise Manager Base Platform product is susceptible to an easily exploitable vulnerability allowing a high privileged attacker to compromise the system via HTTP and potentially impact additional products.

Product: Oracle Enterprise Manager Base Platform

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34279

NVD References: https://www.oracle.com/security-alerts/cpuapr2026.html

CVE-2026-34285, CVE-2026-34286, CVE-2026-34287 - Multiple vulnerabilities in Oracle Identity Manager Connector.

Product: Oracle Identity Manager Connector

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34285

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34286

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34287

NVD References: https://www.oracle.com/security-alerts/cpuapr2026.html

CVE-2026-40906 - Electric's Postgres sync engine is vulnerable to error-based SQL injection through the order_by parameter in the ElectricSQL /v1/shape API from version 1.1.12 to before 1.5.0, which allows authenticated users to potentially access and manipulate the entire PostgreSQL database.

Product: Electric Postgres sync engine

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40906

NVD References: https://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj

CVE-2026-40911 - WWBN AVideo in versions 29.0 and prior allows for universal account takeover, session theft, and privileged action execution due to unsanitized JSON message relay to connected clients, enabling unauthenticated attackers to execute arbitrary JavaScript.

Product: WWBN AVideo

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40911

NVD References: https://github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhr

CVE-2026-40933 - Flowise allows an authenticated attacker to achieve command execution by adding an MCP stdio server with an arbitrary command prior to version 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter.

Product: Flowise

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40933

NVD References: https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp