0dayNews — Vulnerability & Exploit News
Known Exploited Vulnerabilities
AD FS elevation of privilege — insufficient access-control granularity
Active Directory Federation Services access-control granularity flaw lets an authorized attacker escalate privileges locally. Exploited in the wild; added to CISA KEV 2026-07-14.
SharePoint Server elevation of privilege — missing authentication for critical function
SharePoint Server ships a critical function that's reachable without authentication, letting an unauthenticated attacker escalate over a network. Exploited in the wild; added to CISA KEV 2026-07-14.
Balbooa Forms unauthenticated file-upload RCE
The Balbooa Forms Joomla extension (com_baforms) up to 2.4.0 accepts unauthenticated file uploads that permit dropping a PHP file to the web root, leading to remote code execution. Fixed in 2.4.1. CVSS 9.8. Added to CISA KEV on 2026-07-10.
JoomShaper SP Page Builder unauthenticated file-upload RCE
An unrestricted-file-upload flaw in JoomShaper SP Page Builder (a Joomla extension) lets unauthenticated users upload arbitrary files, leading to execution of PHP code. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.
Langflow /api/v1/responses IDOR — cross-user flow execution
An authenticated IDOR in Langflow's /api/v1/responses endpoint lets a logged-in attacker execute any other user's flow by passing the victim's flow UUID. NVD scores it 8.4 high; the vendor GHSA calls it 9.9 critical. Fixed in Langflow 1.9.1. Added to CISA KEV on 2026-07-07.
Joomlack Page Builder unauthenticated file-upload RCE
An improper access control flaw in Joomlack Page Builder (a Joomla extension) permits unauthenticated arbitrary file upload, leading to remote code execution. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.
From the desk

ESET: 11 old signed UEFI shims still bypass Secure Boot
ESET's Martin Smolár found 11 old Microsoft-signed UEFI shims that still bypass Secure Boot — CVE-2026-8863, revoked via the June DBX update.

SAP's July Patch Day: three criticals, worst is 9.9
SAP's July 2026 Security Patch Day fixes 16 flaws — three rated critical, worst a CVSS 9.9 memory-corruption bug in NetWeaver ABAP. No known exploitation yet.

OFAC sanctions 1VPNS admin plus Belarusian cryptor seller
OFAC designated 1VPNS, its Ukrainian admin Rashevskyi, and Belarusian cryptor seller Silayev on July 14 — the follow-on to May's Operation Saffron seizure.

Grok Build v0.2.93 uploaded whole repos to xAI's bucket
xAI's Grok Build CLI v0.2.93 uploaded whole git repos, history and all, to a GCS bucket. The "Improve the model" toggle didn't stop it. Fix is server-side.

148 npm packages ran a browser-based DDoS botnet in May
JFrog: 148 npm packages hosted a fake student web proxy that turned visiting browsers into a DDoS botnet for about two weeks in May. Not a supply-chain attack.

A year of ShinyHunters OAuth abuse, mapped by Microsoft
Microsoft's July 13 report maps three OAuth paths ShinyHunters-linked actors used against Salesforce customers for a year — none of them a Salesforce bug.




