Skip to content
feed: live
>_ 0dayNews

0dayNews — Vulnerability & Exploit News

$ kev-tracker --recent

Known Exploited Vulnerabilities

full tracker →
CVE-2026-48908
[ CRITICAL ] CVSS 9.8 EPSS 0.8% kev

JoomShaper SP Page Builder unauthenticated file-upload RCE

An unrestricted-file-upload flaw in JoomShaper SP Page Builder (a Joomla extension) lets unauthenticated users upload arbitrary files, leading to execution of PHP code. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.

JoomShaper / SP Page Builder (Joomla extension)
CVE-2026-55255
[ HIGH ] CVSS 8.4 EPSS 0.2% kev

Langflow /api/v1/responses IDOR — cross-user flow execution

An authenticated IDOR in Langflow's /api/v1/responses endpoint lets a logged-in attacker execute any other user's flow by passing the victim's flow UUID. NVD scores it 8.4 high; the vendor GHSA calls it 9.9 critical. Fixed in Langflow 1.9.1. Added to CISA KEV on 2026-07-07.

Langflow / Langflow (versions before 1.9.1)
CVE-2026-56290
[ CRITICAL ] CVSS 9.8 EPSS 0.4% kev

Joomlack Page Builder unauthenticated file-upload RCE

An improper access control flaw in Joomlack Page Builder (a Joomla extension) permits unauthenticated arbitrary file upload, leading to remote code execution. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.

Joomlack / Page Builder (Joomla extension)
CVE-2026-45659
[ HIGH ] CVSS 8.8 EPSS 3.2% kev

Microsoft SharePoint Server deserialization remote code execution

A high-severity deserialization-of-untrusted-data flaw in on-premises Microsoft SharePoint Server that leads to remote code execution. Patched by Microsoft in the May 2026 security update; added to the CISA Known Exploited Vulnerabilities catalog on July 2, 2026 after confirmed exploitation in the wild.

Microsoft / SharePoint Server (on-premises)
CVE-2026-48282
[ CRITICAL ] CVSS 10.0 EPSS 1.0% kev

Adobe ColdFusion path-traversal to arbitrary code execution

Unauthenticated path-traversal (CWE-22) in Adobe ColdFusion 2023 (through update 20) and 2025 (through update 9) permitting arbitrary code execution without user interaction. CVSS 10.0. Patched by Adobe on 2026-07-01 in APSB26-68 (ColdFusion 2023 update 21, 2025 update 10). Active in-the-wild exploitation confirmed by the Canadian Centre for Cyber Security on 2026-07-02; Shadowserver counts ~800 exposed instances.

Adobe / ColdFusion (2023 through update 20; 2025 through update 9)
CVE-2026-48558
[ CRITICAL ] CVSS 10.0 EPSS 1.2% kev

SimpleHelp OIDC Authentication Bypass

SimpleHelp 5.5.15 and prior accepts OIDC identity tokens without verifying their signature — a forged token yields a full technician session. CVSS 10.0, KEV, patch is 5.5.16.

SimpleHelp / SimpleHelp Server
$ latest --more

From the desk

all articles →
~/articles/2026-07-09-assuranceamerica-breach-6-9m-drivers-march-intrusion
AssuranceAmerica breach: 6.9M drivers, 4-month notice gap
● Breaking
threat intel

AssuranceAmerica breach: 6.9M drivers, 4-month notice gap

AssuranceAmerica confirms a March 16 intrusion exposed data on 6,998,886 drivers. Notification letters went out in July — a nearly four-month gap between detection and public notice.

read →
~/articles/2026-07-09-infoblox-lurking-lizard-230-domain-fake-7zip-residential-proxy
Infoblox: Lurking Lizard runs 230-domain fake 7-Zip proxy
threat intel

Infoblox: Lurking Lizard runs 230-domain fake 7-Zip proxy

Infoblox ties a China-based residential-proxy operator to 230+ lookalike domains active since 2022, seeding fake 7-Zip and WireVPN installers.

read →
~/articles/2026-07-09-microsoft-defender-rogueplanet-cve-2026-50656-lpe-patch
microsoft

Microsoft patches Defender 'RoguePlanet' LPE; PoC public

Microsoft shipped an out-of-band Defender engine update for RoguePlanet (CVE-2026-50656), a race-condition LPE to SYSTEM. Public PoC. Verify auto-update landed.

read →
~/articles/2026-07-09-wiz-ghostapproval-symlink-six-ai-coding-assistants
threat intel

GhostApproval symlink bug hits six AI coding assistants

Wiz research: Amazon Q, Cursor, Claude Code, Augment, Antigravity, Windsurf all approved one file path in the dialog while writing to another via symlinks.

read →
~/articles/2026-07-08-redwing-android-maas-oblivion-telegram-zimperium
RedWing turns Android bank fraud into a Telegram rental
Analysis
mobile

RedWing turns Android bank fraud into a Telegram rental

Zimperium's zLabs details RedWing, an Android bank-fraud MaaS sold on Telegram — Oblivion variant, subscription tiers, prebuilt droppers, 82 target banks.

read →
~/articles/2026-07-08-spain-palencia-carr-noname-logistics-arrest
Spain arrests suspected CARR logistics operator
Analysis
threat intel

Spain arrests suspected CARR logistics operator

Spanish police detained a Palencia man tied to CyberArmy of Russia Reborn, Z-Pentest, and NoName057(16). The announcement lands nearly four months after the raid.

read →