Skip to content
feed: live
>_ 0dayNews

0dayNews — Vulnerability & Exploit News

$ kev-tracker --recent

Known Exploited Vulnerabilities

full tracker →
CVE-2026-56155
[ HIGH ] CVSS 7.8 kev

AD FS elevation of privilege — insufficient access-control granularity

Active Directory Federation Services access-control granularity flaw lets an authorized attacker escalate privileges locally. Exploited in the wild; added to CISA KEV 2026-07-14.

Microsoft / Active Directory Federation Services (AD FS) — see MSRC advisory for affected builds
CVE-2026-56164
[ MEDIUM ] CVSS 5.3 kev

SharePoint Server elevation of privilege — missing authentication for critical function

SharePoint Server ships a critical function that's reachable without authentication, letting an unauthenticated attacker escalate over a network. Exploited in the wild; added to CISA KEV 2026-07-14.

Microsoft / Microsoft SharePoint Server (see MSRC advisory for affected builds)
CVE-2026-56291
[ CRITICAL ] CVSS 9.8 kev

Balbooa Forms unauthenticated file-upload RCE

The Balbooa Forms Joomla extension (com_baforms) up to 2.4.0 accepts unauthenticated file uploads that permit dropping a PHP file to the web root, leading to remote code execution. Fixed in 2.4.1. CVSS 9.8. Added to CISA KEV on 2026-07-10.

Balbooa / Forms (Joomla extension, com_baforms)
CVE-2026-48908
[ CRITICAL ] CVSS 9.8 EPSS 0.8% kev

JoomShaper SP Page Builder unauthenticated file-upload RCE

An unrestricted-file-upload flaw in JoomShaper SP Page Builder (a Joomla extension) lets unauthenticated users upload arbitrary files, leading to execution of PHP code. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.

JoomShaper / SP Page Builder (Joomla extension)
CVE-2026-55255
[ HIGH ] CVSS 8.4 EPSS 0.2% kev

Langflow /api/v1/responses IDOR — cross-user flow execution

An authenticated IDOR in Langflow's /api/v1/responses endpoint lets a logged-in attacker execute any other user's flow by passing the victim's flow UUID. NVD scores it 8.4 high; the vendor GHSA calls it 9.9 critical. Fixed in Langflow 1.9.1. Added to CISA KEV on 2026-07-07.

Langflow / Langflow (versions before 1.9.1)
CVE-2026-56290
[ CRITICAL ] CVSS 9.8 EPSS 0.4% kev

Joomlack Page Builder unauthenticated file-upload RCE

An improper access control flaw in Joomlack Page Builder (a Joomla extension) permits unauthenticated arbitrary file upload, leading to remote code execution. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.

Joomlack / Page Builder (Joomla extension)
$ latest --more

From the desk

all articles →
~/articles/2026-07-14-eset-uefi-shim-cve-2026-8863-secure-boot-bypass
ESET: 11 old signed UEFI shims still bypass Secure Boot
microsoft

ESET: 11 old signed UEFI shims still bypass Secure Boot

ESET's Martin Smolár found 11 old Microsoft-signed UEFI shims that still bypass Secure Boot — CVE-2026-8863, revoked via the June DBX update.

read →
~/articles/2026-07-14-sap-july-patch-day-three-criticals-netweaver-approuter-commerce
SAP's July Patch Day: three criticals, worst is 9.9
sap

SAP's July Patch Day: three criticals, worst is 9.9

SAP's July 2026 Security Patch Day fixes 16 flaws — three rated critical, worst a CVSS 9.9 memory-corruption bug in NetWeaver ABAP. No known exploitation yet.

read →
~/articles/2026-07-14-ofac-1vpns-rashevskyi-silayev-sb0559-cryptor-designation
OFAC sanctions 1VPNS admin plus Belarusian cryptor seller
ransomware

OFAC sanctions 1VPNS admin plus Belarusian cryptor seller

OFAC designated 1VPNS, its Ukrainian admin Rashevskyi, and Belarusian cryptor seller Silayev on July 14 — the follow-on to May's Operation Saffron seizure.

read →
~/articles/2026-07-14-cereblab-grok-build-0-2-93-git-repo-upload-gcs
Grok Build v0.2.93 uploaded whole repos to xAI's bucket
threat intel

Grok Build v0.2.93 uploaded whole repos to xAI's bucket

xAI's Grok Build CLI v0.2.93 uploaded whole git repos, history and all, to a GCS bucket. The "Improve the model" toggle didn't stop it. Fix is server-side.

read →
~/articles/2026-07-14-jfrog-148-npm-packages-browser-ddos-botnet-may
148 npm packages ran a browser-based DDoS botnet in May
supply chain

148 npm packages ran a browser-based DDoS botnet in May

JFrog: 148 npm packages hosted a fake student web proxy that turned visiting browsers into a DDoS botnet for about two weeks in May. Not a supply-chain attack.

read →
~/articles/2026-07-14-microsoft-shinyhunters-salesforce-oauth-three-paths
A year of ShinyHunters OAuth abuse, mapped by Microsoft
Analysis
threat intel

A year of ShinyHunters OAuth abuse, mapped by Microsoft

Microsoft's July 13 report maps three OAuth paths ShinyHunters-linked actors used against Salesforce customers for a year — none of them a Salesforce bug.

read →