Skip to content
feed: live
>_ 0dayNews

0dayNews — Vulnerability & Exploit News

$ kev-tracker --recent

Known Exploited Vulnerabilities

full tracker →
CVE-2026-48908
[ CRITICAL ] CVSS 9.8 EPSS 0.8% kev

JoomShaper SP Page Builder unauthenticated file-upload RCE

An unrestricted-file-upload flaw in JoomShaper SP Page Builder (a Joomla extension) lets unauthenticated users upload arbitrary files, leading to execution of PHP code. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.

JoomShaper / SP Page Builder (Joomla extension)
CVE-2026-55255
[ HIGH ] CVSS 8.4 EPSS 0.2% kev

Langflow /api/v1/responses IDOR — cross-user flow execution

An authenticated IDOR in Langflow's /api/v1/responses endpoint lets a logged-in attacker execute any other user's flow by passing the victim's flow UUID. NVD scores it 8.4 high; the vendor GHSA calls it 9.9 critical. Fixed in Langflow 1.9.1. Added to CISA KEV on 2026-07-07.

Langflow / Langflow (versions before 1.9.1)
CVE-2026-56290
[ CRITICAL ] CVSS 9.8 EPSS 0.4% kev

Joomlack Page Builder unauthenticated file-upload RCE

An improper access control flaw in Joomlack Page Builder (a Joomla extension) permits unauthenticated arbitrary file upload, leading to remote code execution. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.

Joomlack / Page Builder (Joomla extension)
CVE-2026-45659
[ HIGH ] CVSS 8.8 EPSS 3.2% kev

Microsoft SharePoint Server deserialization remote code execution

A high-severity deserialization-of-untrusted-data flaw in on-premises Microsoft SharePoint Server that leads to remote code execution. Patched by Microsoft in the May 2026 security update; added to the CISA Known Exploited Vulnerabilities catalog on July 2, 2026 after confirmed exploitation in the wild.

Microsoft / SharePoint Server (on-premises)
CVE-2026-48282
[ CRITICAL ] CVSS 10.0 EPSS 1.0% kev

Adobe ColdFusion path-traversal to arbitrary code execution

Unauthenticated path-traversal (CWE-22) in Adobe ColdFusion 2023 (through update 20) and 2025 (through update 9) permitting arbitrary code execution without user interaction. CVSS 10.0. Patched by Adobe on 2026-07-01 in APSB26-68 (ColdFusion 2023 update 21, 2025 update 10). Active in-the-wild exploitation confirmed by the Canadian Centre for Cyber Security on 2026-07-02; Shadowserver counts ~800 exposed instances.

Adobe / ColdFusion (2023 through update 20; 2025 through update 9)
CVE-2026-48558
[ CRITICAL ] CVSS 10.0 EPSS 1.2% kev

SimpleHelp OIDC Authentication Bypass

SimpleHelp 5.5.15 and prior accepts OIDC identity tokens without verifying their signature — a forged token yields a full technician session. CVSS 10.0, KEV, patch is 5.5.16.

SimpleHelp / SimpleHelp Server
$ latest --more

From the desk

all articles →
~/articles/2026-07-10-illbloom-coinspect-weak-prng-mobile-wallet-drain
Ill Bloom is a $3.1M lesson in weak randomness, again
Analysis
threat intel

Ill Bloom is a $3.1M lesson in weak randomness, again

Coinspect disclosed weak PRNG in wallet recovery-phrase generation; attackers drained $3.1M in a May sweep. The pattern — bad randomness, stolen keys — is old.

read →
~/articles/2026-07-10-digitalmint-martino-70-months-blackcat-insider-negotiation
Ex-DigitalMint negotiator gets 70 months for BlackCat scheme
Analysis
ransomware

Ex-DigitalMint negotiator gets 70 months for BlackCat scheme

Angelo Martino, ex-DigitalMint IR employee, sentenced to 70 months for feeding BlackCat victims' insurance limits and negotiation floors. An old failure mode.

read →
~/articles/2026-07-10-meta-muse-image-instagram-public-default-impersonation-surface
Meta's Muse Image defaults on for public Instagram
Analysis
threat intel

Meta's Muse Image defaults on for public Instagram

Meta's new Muse Image model reuses public Instagram photos and reels by default — no notification, no watermark discussion, opt-out three levels deep in Sharing settings.

read →
~/articles/2026-07-10-clearinghouse-summer-athena-lightwell-old-pattern
The clearinghouse boom is not new, and neither is the fatigue
Analysis
threat intel

The clearinghouse boom is not new, and neither is the fatigue

Chainguard announced Athena. Red Hat and the White House announced Lightwell. Vulnerability clearinghouses have been getting reannounced since the 1980s.

read →
~/articles/2026-07-10-hackernews-ato-verification-step-passkey-aftermath
Analysis
threat intel

The ATO fight moved past credential stuffing

The Hacker News argues account takeover shifted from credential stuffing to attacking verification — passkeys pushed the front door shut, so attackers moved.

read →
~/articles/2026-07-10-talos-hazel-winning-54-percent-defender-cliche
Analysis
threat intel

Talos on 'attackers only need to be right once'

Cisco Talos's Hazel argues 'attackers only need to be right once' is a cliché the defensive community should retire. It's overdue.

read →