0dayNews — Vulnerability & Exploit News
Known Exploited Vulnerabilities
Fortinet FortiSandbox unauthenticated OS command injection (4.2, 4.4, 5.0, Cloud, PaaS)
An unauthenticated OS command injection across FortiSandbox 4.2, 4.4, 5.0, plus FortiSandbox Cloud and PaaS 5.0 lets a network attacker run arbitrary commands via crafted HTTP requests. CVSS 9.8; CISA-listed KEV.
Oracle E-Business Suite Payments improper privilege management (unauth RCE)
A critical improper-privilege-management flaw in the Oracle Payments component of Oracle E-Business Suite (File Transmission) that lets an unauthenticated network attacker take over Oracle Payments. Patched in Oracle's May 2026 Critical Patch Update; added to CISA KEV on July 15, 2026.
SonicWall SMA1000 unauthenticated SSRF in Work Place portal
An unauthenticated server-side request forgery in the SonicWall SMA1000 Work Place web interface lets a remote attacker force the appliance to make requests to attacker-chosen destinations. Actively exploited; on CISA KEV.
SonicWall SMA1000 post-authentication OS command injection
A post-authentication OS command injection in the SonicWall SMA1000 lets an administrator execute arbitrary OS commands on the appliance. Actively exploited alongside CVE-2026-15409; on CISA KEV.
AD FS elevation of privilege — insufficient access-control granularity
Active Directory Federation Services access-control granularity flaw lets an authorized attacker escalate privileges locally. Exploited in the wild; added to CISA KEV 2026-07-14.
SharePoint Server elevation of privilege — missing authentication for critical function
SharePoint Server ships a critical function that's reachable without authentication, letting an unauthenticated attacker escalate over a network. Exploited in the wild; added to CISA KEV 2026-07-14.
From the desk

LegacyHive: unpatched Windows LPE zero-day, PoC public
Researcher Nightmare Eclipse dropped LegacyHive — an unpatched Windows User Profile Service LPE — hours after July Patch Tuesday. No CVE, PoC on GitHub.

ACR Stealer, ClickFix, and why the Run box still works
Microsoft's Defender Experts detailed two ACR Stealer chains Thursday. Both start with a Run-dialog paste — and walk out with browser tokens and M365 files.

Windows Server 2022 mainstream support ends Oct 13
Microsoft's Windows Server 2022 leaves mainstream support October 13, 2026 — but extended support runs five more years with security updates at no extra cost.

The plumbing behind $43M in investment-fraud losses
DOJ charges two in a New York-based network that laundered at least $43 million from pig-butchering-style investment scams through ~140 accounts.

Windows 11 24H2 Home and Pro: 90 days to end of updates
Microsoft has set October 13, 2026 as the last patch day for Windows 11 24H2 Home and Pro. Enterprise and Education get one more year — the usual split.

n8n cross-issuer JWT bypass logs attackers in as anyone
CVE-2026-59208: n8n Enterprise instances trusting two or more JWT issuers matched incoming tokens on `sub` alone, letting a token from issuer A log in as B's user.




