Skip to content
feed: live
>_ 0dayNews

0dayNews — Vulnerability & Exploit News

$ kev-tracker --recent

Known Exploited Vulnerabilities

full tracker →
CVE-2026-25089
[ CRITICAL ] CVSS 9.8 kev

Fortinet FortiSandbox unauthenticated OS command injection (4.2, 4.4, 5.0, Cloud, PaaS)

An unauthenticated OS command injection across FortiSandbox 4.2, 4.4, 5.0, plus FortiSandbox Cloud and PaaS 5.0 lets a network attacker run arbitrary commands via crafted HTTP requests. CVSS 9.8; CISA-listed KEV.

Fortinet / FortiSandbox, FortiSandbox Cloud, FortiSandbox PaaS (multiple 4.x and 5.0 lines — see body)
CVE-2026-46817
[ CRITICAL ] CVSS 9.8 kev

Oracle E-Business Suite Payments improper privilege management (unauth RCE)

A critical improper-privilege-management flaw in the Oracle Payments component of Oracle E-Business Suite (File Transmission) that lets an unauthenticated network attacker take over Oracle Payments. Patched in Oracle's May 2026 Critical Patch Update; added to CISA KEV on July 15, 2026.

Oracle / E-Business Suite — Oracle Payments (versions 12.2.3–12.2.15)
CVE-2026-15409
[ CRITICAL ] CVSS 10.0 kev

SonicWall SMA1000 unauthenticated SSRF in Work Place portal

An unauthenticated server-side request forgery in the SonicWall SMA1000 Work Place web interface lets a remote attacker force the appliance to make requests to attacker-chosen destinations. Actively exploited; on CISA KEV.

SonicWall / SMA1000 Series (6210, 7210, 8200v)
CVE-2026-15410
[ HIGH ] CVSS 7.2 kev

SonicWall SMA1000 post-authentication OS command injection

A post-authentication OS command injection in the SonicWall SMA1000 lets an administrator execute arbitrary OS commands on the appliance. Actively exploited alongside CVE-2026-15409; on CISA KEV.

SonicWall / SMA1000 Series (6210, 7210, 8200v)
CVE-2026-56155
[ HIGH ] CVSS 7.8 kev

AD FS elevation of privilege — insufficient access-control granularity

Active Directory Federation Services access-control granularity flaw lets an authorized attacker escalate privileges locally. Exploited in the wild; added to CISA KEV 2026-07-14.

Microsoft / Active Directory Federation Services (AD FS) — see MSRC advisory for affected builds
CVE-2026-56164
[ MEDIUM ] CVSS 5.3 kev

SharePoint Server elevation of privilege — missing authentication for critical function

SharePoint Server ships a critical function that's reachable without authentication, letting an unauthenticated attacker escalate over a network. Exploited in the wild; added to CISA KEV 2026-07-14.

Microsoft / Microsoft SharePoint Server (see MSRC advisory for affected builds)
$ latest --more

From the desk

all articles →
~/articles/2026-07-17-nightmare-eclipse-legacyhive-windows-user-profile-service-lpe-zero-day
LegacyHive: unpatched Windows LPE zero-day, PoC public
● Breaking
microsoft

LegacyHive: unpatched Windows LPE zero-day, PoC public

Researcher Nightmare Eclipse dropped LegacyHive — an unpatched Windows User Profile Service LPE — hours after July Patch Tuesday. No CVE, PoC on GitHub.

read →
~/articles/2026-07-17-microsoft-defender-experts-acr-stealer-clickfix-run-box-paste-and-run
ACR Stealer, ClickFix, and why the Run box still works
Analysis
threat intel

ACR Stealer, ClickFix, and why the Run box still works

Microsoft's Defender Experts detailed two ACR Stealer chains Thursday. Both start with a Run-dialog paste — and walk out with browser tokens and M365 files.

read →
~/articles/2026-07-17-microsoft-windows-server-2022-mainstream-eos-october-13-extended-2031
Windows Server 2022 mainstream support ends Oct 13
● Breaking
microsoft

Windows Server 2022 mainstream support ends Oct 13

Microsoft's Windows Server 2022 leaves mainstream support October 13, 2026 — but extended support runs five more years with security updates at no extra cost.

read →
~/articles/2026-07-17-doj-chen-zhang-43m-money-laundering-140-accounts-45-shells
The plumbing behind $43M in investment-fraud losses
Analysis
threat intel

The plumbing behind $43M in investment-fraud losses

DOJ charges two in a New York-based network that laundered at least $43 million from pig-butchering-style investment scams through ~140 accounts.

read →
~/articles/2026-07-16-microsoft-windows-11-24h2-home-pro-eos-october-13-25h2-enablement
Windows 11 24H2 Home and Pro: 90 days to end of updates
microsoft

Windows 11 24H2 Home and Pro: 90 days to end of updates

Microsoft has set October 13, 2026 as the last patch day for Windows 11 24H2 Home and Pro. Enterprise and Education get one more year — the usual split.

read →
~/articles/2026-07-17-n8n-cve-2026-59208-cross-issuer-token-exchange-sub-iss
n8n cross-issuer JWT bypass logs attackers in as anyone
n8n

n8n cross-issuer JWT bypass logs attackers in as anyone

CVE-2026-59208: n8n Enterprise instances trusting two or more JWT issuers matched incoming tokens on `sub` alone, letting a token from issuer A log in as B's user.

read →