Skip to content
feed: live
>_ 0dayNews

0dayNews — Vulnerability & Exploit News

$ kev-tracker --recent

Known Exploited Vulnerabilities

full tracker →
CVE-2026-25089
[ CRITICAL ] CVSS 9.8 kev

Fortinet FortiSandbox unauthenticated OS command injection (4.2, 4.4, 5.0, Cloud, PaaS)

An unauthenticated OS command injection across FortiSandbox 4.2, 4.4, 5.0, plus FortiSandbox Cloud and PaaS 5.0 lets a network attacker run arbitrary commands via crafted HTTP requests. CVSS 9.8; CISA-listed KEV.

Fortinet / FortiSandbox, FortiSandbox Cloud, FortiSandbox PaaS (multiple 4.x and 5.0 lines — see body)
CVE-2026-46817
[ CRITICAL ] CVSS 9.8 kev

Oracle E-Business Suite Payments improper privilege management (unauth RCE)

A critical improper-privilege-management flaw in the Oracle Payments component of Oracle E-Business Suite (File Transmission) that lets an unauthenticated network attacker take over Oracle Payments. Patched in Oracle's May 2026 Critical Patch Update; added to CISA KEV on July 15, 2026.

Oracle / E-Business Suite — Oracle Payments (versions 12.2.3–12.2.15)
CVE-2026-15409
[ CRITICAL ] CVSS 10.0 kev

SonicWall SMA1000 unauthenticated SSRF in Work Place portal

An unauthenticated server-side request forgery in the SonicWall SMA1000 Work Place web interface lets a remote attacker force the appliance to make requests to attacker-chosen destinations. Actively exploited; on CISA KEV.

SonicWall / SMA1000 Series (6210, 7210, 8200v)
CVE-2026-15410
[ HIGH ] CVSS 7.2 kev

SonicWall SMA1000 post-authentication OS command injection

A post-authentication OS command injection in the SonicWall SMA1000 lets an administrator execute arbitrary OS commands on the appliance. Actively exploited alongside CVE-2026-15409; on CISA KEV.

SonicWall / SMA1000 Series (6210, 7210, 8200v)
CVE-2026-56155
[ HIGH ] CVSS 7.8 kev

AD FS elevation of privilege — insufficient access-control granularity

Active Directory Federation Services access-control granularity flaw lets an authorized attacker escalate privileges locally. Exploited in the wild; added to CISA KEV 2026-07-14.

Microsoft / Active Directory Federation Services (AD FS) — see MSRC advisory for affected builds
CVE-2026-56164
[ MEDIUM ] CVSS 5.3 kev

SharePoint Server elevation of privilege — missing authentication for critical function

SharePoint Server ships a critical function that's reachable without authentication, letting an unauthenticated attacker escalate over a network. Exploited in the wild; added to CISA KEV 2026-07-14.

Microsoft / Microsoft SharePoint Server (see MSRC advisory for affected builds)
$ latest --more

From the desk

all articles →
~/articles/2026-07-16-daxin-srt64-stupig-winlogon-taiwan-digiwin-jdk
Daxin resurfaces in Taiwan alongside new Stupig backdoor
threat intel

Daxin resurfaces in Taiwan alongside new Stupig backdoor

Symantec finds the Daxin kernel rootkit resurfacing at a Taiwan manufacturer, alongside a previously unreported pre-login SYSTEM backdoor called Stupig.

read →
~/articles/2026-07-16-scattered-spider-tfl-jubair-flowers-nca-cma-sentence
Two Scattered Spider affiliates get 5.5 years for TfL hack
threat intel

Two Scattered Spider affiliates get 5.5 years for TfL hack

Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty under the UK Computer Misuse Act. The 2024 intrusion knocked out 148 TfL systems and cost £29 million.

read →
~/articles/2026-07-16-sharkninja-tokay0-aws-iot-cert-region-root-no-patch
Unpatched Shark vacuums: regional root, no CVE, no patch
threat intel

Unpatched Shark vacuums: regional root, no CVE, no patch

tokay0 published a Shark robot vacuum flaw July 13: over-permissive AWS IoT device cert grants root on any other Shark in the same region. No patch.

read →
~/articles/2026-07-16-symantec-spirals-ransomware-iis-webshell-24h-south-asia
Spirals ransomware: full network encrypted in under 24h
● Breaking
ransomware

Spirals ransomware: full network encrypted in under 24h

Symantec documents Spirals, a new ransomware family: IIS web-shell entry to a fully encrypted network in under 24 hours — one confirmed victim so far, an IT services firm in South Asia.

read →
~/articles/2026-07-16-openai-gpt-red-internal-red-teamer-prompt-injection
OpenAI discloses GPT-Red, its internal automated red-teamer
● Breaking
threat intel

OpenAI discloses GPT-Red, its internal automated red-teamer

OpenAI describes GPT-Red, an internal automated red-teamer that scales prompt injection discovery and adversarially trains later models against those attacks.

read →
~/articles/2026-07-16-mindgard-cursor-workspace-git-hijack-windows-no-patch
Cursor: opening a repo runs its git.exe. No patch, 7 months.
supply chain

Cursor: opening a repo runs its git.exe. No patch, 7 months.

Mindgard disclosed a Cursor zero-day July 14 after seven months without a fix. Opening a repo with a git.exe file runs it as you. Windows only. No patch.

read →