The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Proxying the Unproxyable? Sending EXE traffic to a Proxy

Published: 2026-05-13

Last Updated: 2026-05-13 01:20:35 UTC

by Rob VandenBrink (Version: 1)

.. if “unproxyable” is a word that is ..

I had a recent engagement where I had to look at the network traffic generated by a Windows executable. Unfortunately, it was all TLS, and all TLS1.3 to boot. So from a PCAP all I got was a whole lot of “yup, that’s encrypted”, and since it was TLSv1.3 all I really had to work with was the IP addresses, not even server names in the server hello packets to help out. And the IP addresses involved were those “500 DNS names AWS” shotgun addresses, so no help there.

What I really needed was something to take specific traffic, say traffic from an executable, and redirect that to a proxy. If that proxy is then burp suite, then Bob’s yer Uncle, now I can look at the traffic!! If you’d rather use fiddler or some other proxy, go for it, anything will work.

A few minutes of Googling, and I found Proxifier (hxxps://www.proxifier.com/)

Proxifier allows you set up rules, for instance “send traffic from abc.exe to proxy A”, “send traffic from def.exe to proxy B”, or “send everything else direct”, or any combination. Proxies can be direct or Socks5.

In my case, I was looking at a client executable, and was able to follow all the API calls and data transferred, it was EXACTLY what I needed that day.

I can’t show you the client output - watching the API’s roll by was as cool as it gets though, and the proxy intercept in burp lets you “play” with individual calls if that’s what you need. But I can certainly show you how this works, let’s use curl as our example exe.

Let's start in proxifier. First you need to set up your proxy(s). In this case I'm using Burp Suite Pro running locally, so the proxy is ...

Read the full entry: https://isc.sans.edu/diary/Proxying+the+Unproxyable+Sending+EXE+traffic+to+a+Proxy/32982/

[GUEST DIARY] Tearing apart website fraud to see how it works.

Published: 2026-05-13

Last Updated: 2026-05-13 06:29:07 UTC

by Mark Baggett (Version: 3)

[This is a Guest Diary by Joshua Nikolson, an ISC Intern and part of the SANS.edu Bachelor's degree in Applied Cybersecurity (BACS) program.]

Introduction

One day at work, a friend messaged me, “How do you check a website to see if it’s legit?” This friend recently received a phishing text message from a “bank”, and I figured he wanted to be careful and double-check. I told him to put the URL into VirusTotal but said that just because it may say it’s clean, that doesn’t mean it’s not malicious.

He sent me a screenshot of the VirusTotal page for the URL, with no detections and everything showing green. I took a moment to look at it a little more closely. The domain name was unusual, and right off the bat I could see it had been created in the last few months. As of now, it has one detection from a vendor. All domains mentioned in this blogpost will be listed in the Indicators of Compromise section at the end ...

Going to the site, I could immediately tell that something was off about it. It was a secondhand marketplace that seemed to sell just about everything under the sun, with tons of listings in each category and items priced too good to be true. While the site had that “AI vibecoded feeling”, I wanted to give my friend something more concrete other than “don’t trust this site”.

I decided to reverse image search one of the product images, a Lenovo ThinkPad battery replacement, and after some digging, I found an eBay listing with all the same product images and item descriptions. I did this for a few more of the site’s listings and came to the same result. I let my friend know, and he said, “Yeah, it looked too good to be true” ...

Read the full entry: https://isc.sans.edu/diary/GUEST+DIARY+Tearing+apart+website+fraud+to+see+how+it+works/32958/

Microsoft May 2026 Patch Tuesday

Published: 2026-05-12

Last Updated: 2026-05-12 18:29:36 UTC

by Johannes Ullrich (Version: 1)

Today's Microsoft patch Tuesday fixes 137 different vulnerabilities. In addition, the update addresses 137 Chromium-related issues affecting Microsoft Edge.

There are no already disclosed or already exploited vulnerabilities included in today's patches. I removed the Chromium issues from the table below and included only the 137 Microsoft issues to make it more readable.

Note that issues related to Microsoft Azure are labeled as "no customer action required.

Significant Vulnerabilities of interest:

CVE-2026-41103: This vulnerability affects the Microsoft SSO Plugin for Jira & Confluence. Exploitation could lead to an elevation of privileges. With ongoing supply chain attacks, development and CI/CD tools like Jira and Confluence are popular targets.

CVE-2026-41089: A preauthentication remote code execution vulnerability in the Netlogon service will always be a juicy target, worth some AI tokens to write an exploit for.

Other critical vulnerabilities include the usual Word and Microsoft Office issues ...

Read the full entry: https://isc.sans.edu/diary/Microsoft+May+2026+Patch+Tuesday/32980/

Apple Patches Everything (2026.05.11)

https://isc.sans.edu/diary/Apple+Patches+Everything/32976/

Why we use CAPTCHAs (2026.05.11)

https://isc.sans.edu/diary/Why+we+use+CAPTCHAs/32974/

YARA-X 1.16.0 Release (2026.05.10)

https://isc.sans.edu/diary/YARAX+1160+Release/32970/

Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag (2026.05.08)

https://isc.sans.edu/diary/Another+Universal+Linux+Local+Privilege+Escalation+LPE+Vulnerability+Dirty+Frag/32968/

An Adaptive Cyber Analytics UI for Web Honeypot Logs [Guest Diary] (2026.05.06)

https://isc.sans.edu/diary/An+Adaptive+Cyber+Analytics+UI+for+Web+Honeypot+Logs+Guest+Diary/32962/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2026-31431 - Linux kernel: A vulnerability in crypto: algif_aead has been resolved by reverting to operating out-of-place for improved efficiency and simplicity.

Product: Linux kernel

CVSS Score: 0

** KEV since 2026-05-01 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31431

ISC Diary: https://isc.sans.edu/diary/32968

ISC Podcast: https://isc.sans.edu/podcastdetail/9914

CVE-2022-0847 - Linux Kernel Privilege Escalation Vulnerability

Product: Linux kernel

CVSS Score: 0

** KEV since 2022-04-25 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-0847

ISC Diary: https://isc.sans.edu/diary/32968

CVE-2016-5195 - Linux Kernel Race Condition Vulnerability

Product: Linux kernel

CVSS Score: 0

** KEV since 2022-03-03 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-5195

ISC Diary: https://isc.sans.edu/diary/32968

CVE-2026-0300 - Palo Alto Networks PAN-OS software is vulnerable to a buffer overflow issue in the User-ID™ Authentication Portal, allowing attackers to execute code with root privileges through specially crafted packets.

Product: Palo Alto Networks PAN-OS

CVSS Score: 9.8

** KEV since 2026-05-06 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0300

ISC Podcast: https://isc.sans.edu/podcastdetail/9922

NVD References:

- https://security.paloaltonetworks.com/CVE-2026-0300

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-0300

CVE-2026-42208 - LiteLLM is vulnerable to an unauthenticated attacker exploiting a database query vulnerability in versions 1.81.16 to 1.83.7, allowing unauthorized access and potential data modification.

Product: LiteLLM AI Gateway

CVSS Score: 0

** KEV since 2026-05-08 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42208

CVE-2026-41940 - cPanel is susceptible to an authentication bypass vulnerability in older versions, enabling remote attackers to gain unauthorized control panel access.

Product: cPanel WHM

CVSS Score: 0

** KEV since 2026-04-30 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-41940

ISC Podcast: https://isc.sans.edu/podcastdetail/9916

CVE-2026-6973 - Ivanti EPMM is vulnerable to improper input validation, allowing a remote authenticated user with administrative access to achieve remote code execution.

Product: Ivanti Endpoint Manager Mobile (EPMM)

CVSS Score: 7.2

** KEV since 2026-05-07 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-6973

NVD References:

- https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-6973

CVE-2026-4670 - Progress Software MOVEit Automation is vulnerable to authentication bypass due to a primary weakness in Progress Software, impacting versions before 2025.0.0 and prior.

Product: Progress MOVEit Automation

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4670

ISC Podcast: https://isc.sans.edu/podcastdetail/9918

NVD References: https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174

CVE-2026-5174 - Progress Software MOVEit Automation is vulnerable to privilege escalation due to improper input validation in versions prior to 2025.1.5, 2025.0.9, and 2024.1.8.

Product: Progress MOVEit Automation

CVSS Score: 7.7

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5174

ISC Podcast: https://isc.sans.edu/podcastdetail/9918

NVD References: https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174

CVE-2026-23631 - Redis-server Lua use-after-free may allow remote code execution

Product: Redis

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-23631

ISC Podcast: https://isc.sans.edu/podcastdetail/9924

NVD References: https://github.com/redis/redis/security/advisories/GHSA-8ghh-qpmp-7826

CVE-2026-25588 - RedisTimeSeries RESTORE invalid memory access may allow remote code execution

Product: RedisTimeSeries RESTORE

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25588

ISC Podcast: https://isc.sans.edu/podcastdetail/9924

NVD References: https://github.com/RedisTimeSeries/RedisTimeSeries/security/advisories/GHSA-7jwr-g5qv-w3gw

CVE-2026-31705, CVE-2026-31718, CVE-2026-43011, CVE-2026-43038, CVE-2026-43039 - Linux kernel vulnerabilities

Product: Linux Kernel

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31705 (out-of-bounds write)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31718 (use after free)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43011 (double free)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43038

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43039

CVE-2025-14543 - Connext Professional (Core Libraries) allows Serialized Data External Linking through Improper Restriction of XML External Entity Reference vulnerability.

Product: Connext Professional

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14543

NVD References: https://www.rti.com/vulnerabilities/#cve-2025-14543

CVE-2025-71284 - Synway SMG Gateway Management Software is vulnerable to OS command injection in the RADIUS configuration endpoint, allowing unauthenticated remote attackers to achieve remote code execution.

Product: Synway SMG Gateway Management Software

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-71284

NVD References: https://www.vulncheck.com/advisories/synway-smg-gateway-management-software-os-command-injection-via-radius-address

CVE-2026-33446, CVE-2026-33447 - Buffer overflow vulnerabilities in Secure Access client version 14.49 and earlier.

Product: Absolute Secure Access

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33446

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33447

NVD References:

- https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33446

- https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33447

CVE-2026-35051, CVE-2026-39858 - Authentication bypass vulnerabilities in Traefik.

Product: Traefik

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35051

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-39858

NVD References:

- https://github.com/traefik/traefik/security/advisories/GHSA-6384-m2mw-rf54

- https://github.com/traefik/traefik/security/advisories/GHSA-5m6w-wvh7-57vm

CVE-2026-42994 - Bitwarden CLI 2026.4.0 from 2026-04-22T21:57Z to 2026-04-22T23:30Z, sourced from npm, contained embedded malicious code due to a Checkmarx supply chain incident.

Product: Bitwarden CLI

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42994

NVD References: https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127

CVE-2026-42778, CVE-2026-42779 - Apache MINA deserialization of untrusted data vulnerabilities.

Product: Apache MINA

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42778

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42779

NVD References: https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0

CVE-2026-43870 - Apache Thrift: Node.js web_server.js multi-vulnerability

Product: Apache Thrift

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43870

NVD References: https://lists.apache.org/thread/pgtfq44ltc9t63kxcbqmwqzt45pnhqdy

CVE-2026-40682 - Apache OpenNLP DictionaryEntryPersistor allows for XXE via Unsanitized Dictionary Parsing, affecting versions before 2.5.9 and before 3.0.0-M3.

Product: Apache OpenNLP

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40682

NVD References: https://lists.apache.org/thread/r6jpt0qr9nj67gqhppqg7jxf8vsbo0w6

CVE-2026-42027 - Apache OpenNLP ExtensionLoader allows arbitrary class instantiation via model manifest, potentially leading to unauthorized static initializer execution and side effects.

Product: Apache OpenNLP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42027

NVD References: https://lists.apache.org/thread/ltlo4powjfc0w2w2yyl1o5tc7q1gcb2y

CVE-2026-42809 - Apache Polaris can issue temporary storage credentials during staged table creation before validating the effective table location, allowing attackers to choose a reachable target location.

Product: Apache Polaris

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42809

NVD References: https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671r

CVE-2026-42810 - Apache Polaris accepts literal `*` characters in namespace and table names, causing vulnerabilities in S3 IAM resource patterns and `s3:prefix` conditions.

Product: Apache Polaris

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42810

NVD References: https://lists.apache.org/thread/gg3qq9sqg4hdjmprqy46p40xmln61dm9

CVE-2026-42811 - Apache Polaris is vulnerable to credential-broadening behavior due to a crafted namespace or table name in GCS credentials.

Product: Apache Polaris

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42811

NVD References: https://lists.apache.org/thread/hovn5hmkj9wj7v9cd8sn67svg03klgvg

CVE-2026-42812 - Apache Iceberg is vulnerable to an issue where changing the `write.metadata.path` property can allow attackers to write table metadata to an attacker-chosen location without proper validation.

Product: Apache Iceberg

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42812

NVD References: https://lists.apache.org/thread/wxd2wj3p0smvrk84msv317wg5tp3jtw9

CVE-2026-28780 - Apache HTTP Server is vulnerable to a heap-based buffer overflow in mod_proxy_ajp, allowing a malicious AJP server to execute remote code by sending a specially crafted message.

Product: Apache HTTP Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-28780

NVD References: https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2026-40010 - Apache Wicket is vulnerable to session fixation attacks if Servlet http web request method changeSessionId is not invoked after session binding, impacting versions 8.0.0 through 8.17.0, 9.0.0, and 10.0.0 through 10.8.0, with the issue resolved in version 10.9.0.

Product: Apache Wicket

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40010

NVD References: https://lists.apache.org/thread/61wsc0xdtfd5oozojfx7by9w3jwgkmv1

CVE-2026-5081 - Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure due to the use of the UNIQUE_ID environment variable, making session ids easily guessable.

Product: Apache::Session::Generate::ModUniqueId

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5081

CVE-2026-42482, CVE-2026-42483, CVE-2026-42484 - Hashcat v7.1.2 stack-based and heap-based buffer overflow vulnerabilities.

Product: Hashcat 7.1.2

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42482

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42483

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42484

NVD References: https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f

CVE-2026-37531 - AGL app-framework-main up to version 17.1.12 is vulnerable to a Zip Slip path traversal and TOCTOU race condition during widget installation, allowing for potential file writing anywhere on the filesystem regardless of verification failure.

Product: AGL app-framework-main

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-37531

NVD References: https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643

CVE-2026-37534 - Open-SAE-J1939 allows attackers to write to arbitrary memory via crafted sequence number from the CAN frame.

Product: Open-SAE J1939 thru commit b6caf884df46435e539b1ecbf92b6c29b345bdfe

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-37534

CVE-2026-37541 - Open Vehicle Monitoring System 3 (OVMS3) 3.3.005 is vulnerable to a buffer overflow in canformat_gvret.cpp, allowing remote attackers to trigger a denial of service or potentially execute arbitrary code.

Product: Open Vehicle Monitoring System OVMS3

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-37541

CVE-2026-42364, CVE-2026-42368, CVE-2026-42369, CVE-2026-42370, CVE-2026-7161, CVE-2026-7372 - GeoVision vulnerabilities

Product: GeoVision

CVSS Scores: 9.0 - 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42364 (OS command injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42368 (incorrect privilege assignment)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42369 (out-of-bounds write)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42370 (out-of-bounds write)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7161 (security through obscurity)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7372 (out-of-bounds write)

NVD References: https://talosintelligence.com/vulnerability_reports/

NVD References: https://www.geovision.com.tw/cyber_security.php

CVE-2026-7482 - Ollama before 0.17.1 has a heap out-of-bounds read vulnerability in the GGUF model loader, allowing attackers to leak sensitive data by supplying a malicious GGUF file to the /api/create endpoint and uploading the resulting artifact through the /api/push endpoint.

Product: Ollama

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7482

CVE-2026-24118, CVE-2026-24120, CVE-2026-24781, CVE-2026-26332, CVE-2026-26956 - VM2 sandbox escape vulnerabilities.

Product: VM2

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24118

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24120

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24781

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26332

NVD References:

- https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p

- https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p

- https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c

- https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95

- https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66

CVE-2026-25293 - Buffer overflow due to incorrect authorization in PLC FW

Product: Qualcomm Qca7005

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25293

NVD References: https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html

CVE-2026-42090 - Notesnook had a stored XSS vulnerability in the note export flow that could be escalated to remote code execution in the desktop app prior to versions 3.3.15 for Web/Desktop and 3.3.20 for iOS/Android.

Product: Notesnook Web/Desktop version 3.3.15, Notesnook iOS/Android version 3.3.20

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42090

NVD References: https://github.com/streetwriters/notesnook/security/advisories/GHSA-fjm8-jg78-89h4

CVE-2026-42373 through CVE-2026-42376 - D-Link DIR-605L Hardware Revision B2 has hardcoded credentials vulnerabilities.

Product: D-Link DIR-605L

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42373

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42374

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42375

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42376

NVD References: https://www.securin.io/zero-day/cve-2026-42376-hardcoded-telnet-backdoor-in-d-link-dir-456u-a1-end-of-life-

CVE-2026-0073 - The adbd_tls_verify_cert vulnerability in auth.cpp of wireless ADB allows for bypass of mutual authentication, potentially leading to remote code execution as shell user without additional privileges.

Product: Google Android

CVSS Score: 8.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0073

ISC Podcast: https://isc.sans.edu/podcastdetail/9922

NVD References: https://source.android.com/docs/security/bulletin/2026/2026-05-01

CVE-2026-42087, CVE-2026-42088 - OpenC3 COSMOS vulnerabilities

Product: OpenC3 COSMOS

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42087 (SQL injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42088 (execution with innecessary privileges)

NVD References:

- https://github.com/OpenC3/cosmos/security/advisories/GHSA-v529-vhwc-wfc5

- https://github.com/OpenC3/cosmos/security/advisories/GHSA-2wvh-87g2-89hr

CVE-2026-42796 - Arelle before version 2.39.10 allows unauthenticated remote attackers to execute malicious Python code through the plugins query parameter in the /rest/configure endpoint.

Product: Arelle

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42796

NVD References: https://www.vulncheck.com/advisories/arelle-unauthenticated-rce-via-rest-configure

CVE-2026-42233 - n8n is an open source workflow automation platform with a vulnerability in the Oracle Database node that allowed SQL injection prior to versions 1.123.32, 2.17.4, and 2.18.1.

Product: n8n

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42233

NVD References: https://github.com/n8n-io/n8n/security/advisories/GHSA-r6jc-mpqw-m755

CVE-2026-42235 - n8n allowed potential session token theft and privilege escalation through an OAuth vulnerability in prior versions.

Product: n8n

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42235

NVD References: https://github.com/n8n-io/n8n/security/advisories/GHSA-537j-gqpc-p7fq

CVE-2026-42238 - Nginx UI before version 2.3.8 allows unauthenticated remote attackers to upload a crafted backup archive, potentially leading to arbitrary OS command injection.

Product: Nginx UI

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42238

NVD References: https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr

CVE-2026-43534 - OpenClaw before 2026.4.10 is vulnerable to input validation allowing malicious hook names to be used for escalating untrusted input into higher-trust agent context.

Product: OpenClaw

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43534

NVD References:

- https://github.com/openclaw/openclaw/security/advisories/GHSA-7g8c-cfr3-vqqr

- https://www.vulncheck.com/advisories/openclaw-unsanitized-external-input-in-agent-hook-events

CVE-2026-43566 - OpenClaw versions 2026.4.7 before 2026.4.14 have a privilege escalation vulnerability that allows attackers to maintain an owner-like execution context by sending untrusted webhook wake events.

Product: OpenClaw

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43566

NVD References:

- https://github.com/openclaw/openclaw/security/advisories/GHSA-g2hm-779g-vm32

- https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-untrusted-webhook-wake-events

CVE-2026-43575 - OpenClaw versions 2026.2.21 before 2026.4.10 have an authentication bypass vulnerability in the noVNC helper route, exposing browser session credentials to unauthorized access.

Product: OpenClaw

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43575

NVD References:

- https://github.com/openclaw/openclaw/security/advisories/GHSA-92jp-89mq-4374

- https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-sandbox-novnc-helper-route

CVE-2026-43578 - OpenClaw versions 2026.3.31 before 2026.4.10 are vulnerable to privilege escalation through untrusted completion content, allowing attackers to run commands with higher privileges.

Product: OpenClaw

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43578

NVD References:

- https://github.com/openclaw/openclaw/security/advisories/GHSA-g375-h3v6-4873

- https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-missed-async-exec-completion-events-in-heartbeat-owner-downgrade

CVE-2026-43581 - OpenClaw before 2026.4.10 has an improper network binding vulnerability in the sandbox browser CDP relay, allowing attackers to access the Chrome DevTools Protocol on 0.0.0.0 outside of intended local sandbox boundaries.

Product: OpenClaw

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43581

NVD References:

- https://github.com/openclaw/openclaw/security/advisories/GHSA-525j-hqq2-66r4

- https://www.vulncheck.com/advisories/openclaw-chrome-devtools-protocol-exposure-via-overly-broad-cdp-relay-binding

CVE-2026-44109 - OpenClaw before 2026.4.15 is vulnerable to an authentication bypass flaw in Feishu webhook and card-action validation, allowing unauthenticated requests to bypass signature verification and execute arbitrary commands.

Product: OpenClaw

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-44109

NVD References:

- https://github.com/openclaw/openclaw/security/advisories/GHSA-xh72-v6v9-mwhc

- https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-feishu-webhook-and-card-action-validation

CVE-2026-36356 - The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.

Product: GoAhead web server

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-36356

CVE-2026-7411 - Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10 is vulnerable to a path traversal attack that can lead to Remote Code Execution (RCE) and system compromise.

Product: Eclipse BaSyx Java Server SDK

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7411

NVD References: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423

CVE-2026-38431 - ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI), allowing attackers with permission to create or edit email templates to execute code on the server.

Product: ERPNext

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-38431

NVD References: https://c0wking.hashnode.dev/ssti-in-erpnext-frappe-email-template-engine

CVE-2026-7853, CVE-2026-7854 - D-Link DI-8100 16.07.26A1 remote buffer overflow vulnerabilities.

Product: D-Link DI-8100

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7853

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7854

CVE-2026-27960 - OpenCTI is vulnerable to privilege escalation in versions 6.6.0 through 6.9.12, allowing unauthenticated attackers to query the API as any existing user, but has been patched in version 6.9.13.

Product: OpenCTI

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27960

NVD References: https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-6vvv-vmfr-xhrx

CVE-2026-38428 - Kestra v1.3.3 and before is vulnerable to SQL Injection due to lack of proper input sanitization, allowing attackers to inject SQL expressions into the database query.

Product: Kestra v1.3.3

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-38428

NVD References: https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x

CVE-2026-40281 - Gotenberg allows an unauthenticated attacker to manipulate PDF files and create symlinks or hard links at arbitrary paths by exploiting a vulnerability in versions 8.30.1 and earlier.

Product: Gotenberg

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40281

NVD References: https://github.com/gotenberg/gotenberg/security/advisories/GHSA-q7r4-hc83-hf2q

CVE-2026-40982 - Spring Cloud Config allows directory traversal attacks through specially crafted URLs, affecting versions 3.1.0 through 4.3.2.

Product: Spring Cloud Config

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40982

NVD References: https://spring.io/security/cve-2026-40982

CVE-2026-33587 - Open Notebook v1.8.3 is vulnerable to Server-Side Template Injection (SSTI) due to lack of user input sanitisation, allowing execution of Python code and OS commands on the docker container.

Product: Open-Notebook

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33587

NVD References: https://github.com/lfnovo/open-notebook/security/advisories/GHSA-f35w-wx37-26q7

CVE-2026-41589 - Wish SSH server, versions 2.0.0 to before 2.0.1, is vulnerable to path traversal attacks in the SCP middleware allowing malicious clients to read/write arbitrary files and directories.

Product: Wish SSH server

CVSS Score: 9.6

NVD References: https://github.com/charmbracelet/wish/security/advisories/GHSA-xjvp-7243-rg9h

CVE-2026-7414, CVE-2026-7415 - Yarbo firmware v2.3.9 vulnerabilities.

Product: Yarbo firmware v2.3.9

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7414 (hardcoded administrative credentials)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7415 (missing authentication for critical function)

CVE-2026-37709 - Grokability Snipe-IT v.8.4.0 and before allows remote attackers to execute arbitrary code via insecure permissions in UploadedFilesController.php.

Product: Grokability Snipe-IT

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-37709

NVD References: https://github.com/grokability/snipe-it/security/advisories/GHSA-xg82-2hrv-hf64

CVE-2026-42880 - Argo CD versions 3.2.0 to 3.2.11 and 3.3.0 to 3.3.9 have a missing authorization flaw that allows attackers with read-only access to extract plaintext Kubernetes Secret data from etcd.

Product: Argo CD

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42880

NVD References: https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3

THE FOLLOWING CVEs DO *NOT* REQUIRE CUSTOMER ACTION

CVE-2026-33823 - Microsoft Team Events Portal Information Disclosure Vulnerability

Product: Microsoft Teams

CVSS Score: 9.6

NO CUSTOMER ACTION REQUIRED

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33823

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33823

CVE-2026-33109 - Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability

Product: Azure Managed Instance for Apache Cassandra

CVSS Score: 9.9

NO CUSTOMER ACTION REQUIRED

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33109

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33109

CVE-2026-33844 - Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability

Product: Microsoft Azure Managed Instance for Apache Cassandra

CVSS Score: 9.0

NO CUSTOMER ACTION REQUIRED

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33844

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33844

CVE-2026-35428 - Azure Cloud Shell Spoofing Vulnerability

Product: Azure Cloud Shell

CVSS Score: 9.6

NO CUSTOMER ACTION REQUIRED

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35428

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35428

CVE-2026-42826 - Azure DevOps Information Disclosure Vulnerability

Product: Microsoft Azure DevOps

CVSS Score: 10.0

NO CUSTOMER ACTION REQUIRED

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42826

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42826

CVE-2026-40379 - Microsoft Enterprise Security Token Service (ESTS) Spoofing Vulnerability

Product: Microsoft Enterprise Security Token Service (ESTS)

CVSS Score: 9.3

NO CUSTOMER ACTION REQUIRED

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40379

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40379