Skip to content
feed: live
>_ 0dayNews

0dayNews — Vulnerability & Exploit News

$ kev-tracker --recent

Known Exploited Vulnerabilities

full tracker →
CVE-2026-56291
[ CRITICAL ] CVSS 9.8 kev

Balbooa Forms unauthenticated file-upload RCE

The Balbooa Forms Joomla extension (com_baforms) up to 2.4.0 accepts unauthenticated file uploads that permit dropping a PHP file to the web root, leading to remote code execution. Fixed in 2.4.1. CVSS 9.8. Added to CISA KEV on 2026-07-10.

Balbooa / Forms (Joomla extension, com_baforms)
CVE-2026-48908
[ CRITICAL ] CVSS 9.8 EPSS 0.8% kev

JoomShaper SP Page Builder unauthenticated file-upload RCE

An unrestricted-file-upload flaw in JoomShaper SP Page Builder (a Joomla extension) lets unauthenticated users upload arbitrary files, leading to execution of PHP code. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.

JoomShaper / SP Page Builder (Joomla extension)
CVE-2026-55255
[ HIGH ] CVSS 8.4 EPSS 0.2% kev

Langflow /api/v1/responses IDOR — cross-user flow execution

An authenticated IDOR in Langflow's /api/v1/responses endpoint lets a logged-in attacker execute any other user's flow by passing the victim's flow UUID. NVD scores it 8.4 high; the vendor GHSA calls it 9.9 critical. Fixed in Langflow 1.9.1. Added to CISA KEV on 2026-07-07.

Langflow / Langflow (versions before 1.9.1)
CVE-2026-56290
[ CRITICAL ] CVSS 9.8 EPSS 0.4% kev

Joomlack Page Builder unauthenticated file-upload RCE

An improper access control flaw in Joomlack Page Builder (a Joomla extension) permits unauthenticated arbitrary file upload, leading to remote code execution. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.

Joomlack / Page Builder (Joomla extension)
CVE-2026-45659
[ HIGH ] CVSS 8.8 EPSS 3.2% kev

Microsoft SharePoint Server deserialization remote code execution

A high-severity deserialization-of-untrusted-data flaw in on-premises Microsoft SharePoint Server that leads to remote code execution. Patched by Microsoft in the May 2026 security update; added to the CISA Known Exploited Vulnerabilities catalog on July 2, 2026 after confirmed exploitation in the wild.

Microsoft / SharePoint Server (on-premises)
CVE-2026-48282
[ CRITICAL ] CVSS 10.0 EPSS 1.0% kev

Adobe ColdFusion path-traversal to arbitrary code execution

Unauthenticated path-traversal (CWE-22) in Adobe ColdFusion 2023 (through update 20) and 2025 (through update 9) permitting arbitrary code execution without user interaction. CVSS 10.0. Patched by Adobe on 2026-07-01 in APSB26-68 (ColdFusion 2023 update 21, 2025 update 10). Active in-the-wild exploitation confirmed by the Canadian Centre for Cyber Security on 2026-07-02; Shadowserver counts ~800 exposed instances.

Adobe / ColdFusion (2023 through update 20; 2025 through update 9)
$ latest --more

From the desk

all articles →
~/articles/2026-07-11-modbeacon-silver-fox-rust-rat-grpc-c2-qianxin
Silver Fox ships MODBEACON, a Rust RAT with gRPC C2
threat intel

Silver Fox ships MODBEACON, a Rust RAT with gRPC C2

QiAnXin attributes a new Rust-based RAT called MODBEACON to Silver Fox, using gRPC streaming for encrypted C2 and SEO-poisoned installers for delivery.

read →
~/articles/2026-07-11-metasploit-weekly-flowise-csv-packagekit-modules
threat intel

Metasploit Weekly Adds Flowise CSV, macOS PackageKit

Rapid7's Metasploit weekly drops two modules — a Flowise CSV Agent prompt-injection RCE and a macOS PackageKit LPE. New tooling, not new bugs.

read →
~/articles/2026-07-10-openmandriva-beatrici-cooker-cosmic-gnome-admin-boundary
OpenMandriva contributor deleted GNOME and Cosmic repos
Analysis
supply chain

OpenMandriva contributor deleted GNOME and Cosmic repos

Davide Beatrici, a three-year OpenMandriva admin, deleted the Cosmic and GNOME repositories and pushed an obsoleting empty package into Cooker on July 8.

read →
~/articles/2026-07-11-zimbra-10-1-19-classic-web-client-xss-google-tag
zimbra

Zimbra ships 10.1.19; Google TAG reported the XSS

Zimbra 10.1.19 patches a stored XSS in the Classic Web Client. No CVE yet, no confirmed exploitation — Google TAG reported it, which is the reason to patch now.

read →
~/articles/2026-07-11-npm-12-allowscripts-off-default-gats-oidc-branch
npm 12 turns install scripts off by default
Analysis
supply chain

npm 12 turns install scripts off by default

npm 12 defaults allowScripts to off and deprecates 2FA-bypass tokens. Closes the install-hook branch; does not touch the maintainer-account one.

read →
~/articles/2026-07-10-iossifov-seized-crypto-wallet-still-had-key
A seized crypto account that moved from a cell
Analysis
threat intel

A seized crypto account that moved from a cell

Rossen Iossifov, ten years into a laundering sentence, is charged with moving $290K from a seized crypto account. The interesting part is it still moved.

read →