Cuberk

---

Zero Day Initiative

• Oracle VirtualBox SoundBlaster 16 Race Condition Local Privilege Escalation Vulnerability - A race condition in the SoundBlaster 16 device of Oracle VirtualBox allows local attackers to escalate privileges.
• (0Day) OpenAI Codex Sandbox Escape Vulnerability - A vulnerability in OpenAI Codex allows remote attackers to bypass the sandbox and execute arbitrary code.

HackerOne Hacktivity

• IBM Aspera HTTP Gateway stores sensitive information in clear text - Sensitive information stored in clear text in easily obtainable files could be read by unauthenticated users.
• Bypass of Restricted Keyword "Mozilla" in Display Name Field - Unicode homoglyphs allowed bypassing restricted keyword filters on addons.allizom.org.
• Bypassing Inbox Privacy Settings and Enabling Spam on Pixiv.net - Vulnerability in messaging system allowed bypassing privacy settings to send unsolicited messages.
• Non-premium user can disable Ads in japanese version of dic.pixiv.net - Logic flaw allowed non-premium users to disable advertisements on the platform.
• Argument Injection in /manage/ssh/ via host parameter leads to sensitive file disclosure on Weblate - Improper validation of host parameters enabled argument injection and file disclosure.
• mruby-engine: UAF in MRubyEngine#initialize enables local RCE - Use-after-free vulnerability in mruby-engine initialization allowed for local remote code execution.
• Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS - Missing error handling in Node.js TLS wrap led to potential remote denial of service.
• RBAC bypass on App log endpoints via permissionRequired typo - A typo in permission requirements allowed authenticated users to read admin-only Enterprise App logs.
• Complete authentication bypass to admin permissions - Critical vulnerability in Rocket.Chat allowed full administrative access bypass.
• SVG filter primitives bypass remote image blocking - Nextcloud vulnerability where SVG filters enabled email tracking by bypassing image blocking.

Medium.com

• How I Discovered a Cognito Misconfiguration That Bypassed Corporate SSO - Detailed writeup on bypassing corporate SSO via AWS Cognito misconfigurations.
• Escaping the Sandbox: Client-Side Template Injection (CSTI) via Outdated AngularJS - Exploration of CSTI vulnerabilities in legacy AngularJS implementations.
• How I Found My First RCE — CVE-2026–37748 - Walkthrough of discovering a Remote Code Execution vulnerability assigned as CVE-2026-37748.
• How a Simple Google Dork Led Me to a Critical Authentication Bypass on Sony - Case study on using OSINT to find critical authentication flaws in major corporate infrastructure.

GitHub: arkadiyt/bounty-targets-data

• No updates in the last 24 hours - The repository shows no commit activity within the last 24-hour window.

Intigriti 'BugBytes' & YesWeHack Blog

• No updates in the last 24 hours - No new blog posts or BugBytes were published on Intigriti in the last 24 hours.
• No updates in the last 24 hours - No new writeups or articles were published on YesWeHack in the last 24 hours.

Pentest-Report.com & getdisclosed.com Aggregators

• No updates in the last 24 hours - The latest curated drop on getdisclosed.com was from April 20, 2026.
• Source Unavailable - Pentest-Report.com was unreachable during the sweep.

Twitter/X

• GitHub RCE CVE-2026-3854 - Researchers identified a vulnerability where millions of GitHub repositories could be accessed via malicious git push options.
• Chrome Zero-Day CVE-2025-3124 - Google released an emergency update for a critical zero-day vulnerability being actively exploited.
• Microsoft Defender 0-day - Tracking a newly released, unpatched Microsoft Defender zero-day vulnerability alongside active exploitation of older Excel flaws.
• Checkmarx Breach Exposure - Automation-driven compromise of over 766 systems in 24 hours, stealing cloud credentials and API keys.

Reddit r/netsec

• Detecting LLM-Generated Passwords - Research on identifying fingerprints left by LLMs when generating passwords to improve attribution.
• Full-chain RCE in Microsoft Semantic Kernel - Disclosure of 6 bypasses leading to a full-chain remote code execution in Microsoft's Semantic Kernel and Agent Framework.
• 4G Industrial Router Root Access - Detailed walkthrough of achieving root access on a common 4G industrial router.
• 89 Vulnerabilities in Citrix XenServer - A massive disclosure of nearly 90 vulnerabilities affecting XAPI and Citrix XenServer.

Lobste.rs

• Carrot Disclosure: Forgejo - Security disclosure regarding vulnerabilities in the Forgejo self-hosted software forge.
• Bypassing DPI with eBPF - Technique for bypassing Deep Packet Inspection using eBPF without requiring a VPN or proxy.
• GitHub Actions Security Risks - Analysis of why GitHub Actions is often the weakest link in a company's security posture.
• GTFOBins Updates - New entries and updates to the curated list of Unix binaries that can be used to bypass local security restrictions.

The Hacker News

• Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push - A critical RCE vulnerability in GitHub Enterprise Server allows attackers to execute code via a single git push.
• Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign - The LofyGang threat actor has returned with a new stealer targeting Minecraft players to siphon credentials and credit card data.
• VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi - A flaw in VECT 2.0 ransomware causes it to act as a wiper, permanently destroying files larger than 131KB.
• Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE - An unsafe deserialization vulnerability in Hugging Face's LeRobot platform enables unauthenticated remote code execution.
• After Mythos: New Playbooks For a Zero-Window Era - The rapid advancement of AI like Claude Mythos is closing the vulnerability patching window to near-zero.
• Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks - A Chinese national has been extradited to the U.S. for hacking into research institutions to steal COVID-19 data.
• Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover - Microsoft fixed a vulnerability in Entra ID that could allow attackers to take over service principals.
• Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 - A Windows Shell vulnerability is being actively exploited in the wild to execute arbitrary code.

BleepingComputer

• PyPI package with 1.1M monthly downloads hacked to push infostealer - A popular Python package was compromised to distribute malware to over a million users.
• FTC: Americans lost over $2.1 billion to social media scams in 2025 - New FTC data reveals a massive surge in financial losses due to scams originating on social platforms.
• Canada arrests three for operating “SMS blaster” device in Toronto - Authorities dismantled a sophisticated SMS phishing operation using specialized hardware to send mass fraudulent texts.
• Home security giant ADT data breach affects 5.5 million people - ADT disclosed a significant breach exposing customer information for millions of its users.
• Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw - Attackers are actively targeting a SQL injection vulnerability in the LiteLLM gateway to steal sensitive data.
• Video service Vimeo confirms Anodot breach exposed user data - A third-party breach at Anodot resulted in the exposure of Vimeo customer information.
• US reportedly charges Scattered Spider hacker arrested in Finland - A key member of the Scattered Spider group faces U.S. charges following an arrest in Finland.
• Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub data - Security firm Checkmarx verified that data stolen in a previous attack has been leaked online by the LAPSUS$ group.

Risky Business

• A deep dive on AI model distillation attacks - New research explores how attackers can steal proprietary AI models through distillation techniques.
• Risky Bulletin: Ukrainians hacked Russian satellite comms platform - Ukrainian cyber forces successfully breached a critical Russian satellite communication system.
• Risky Bulletin: New fingerprinting technique can track Tor users - A novel traffic analysis method has been discovered that can deanonymize users on the Tor network.
• Risky Business (834): Vercel gets owned, Mozilla dumps hundreds of Mythos bugs - The latest podcast covers the Vercel breach and Mozilla's disclosure of numerous AI-discovered vulnerabilities.

Dark Reading

• NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later - Chris Inglis discusses the impact of the Snowden leaks and lessons for modern cybersecurity leadership.
• Vidar Rises to Top of Chaotic Infostealer Market - The Vidar malware has emerged as a dominant force in the underground market for stolen credentials.
• Fresh Wave of GlassWorm VS Code Extensions Slices Through Supply Chain - Attackers are using malicious VS Code extensions to compromise developer environments and supply chains.

CIO ET

• Why enterprises aren’t ready for India’s Data Privacy Law, and why time is no longer on their side - Analysis of the challenges Indian enterprises face in complying with the upcoming DPDP Act.
• Microsoft disrupts cybercrime service linked to AI-enabled fraud - Microsoft took legal and technical action against a service facilitating AI-powered fraudulent activities.
• Security startup Torq raises cash at $1.2 billion valuation - Hyperautomation security firm Torq has reached unicorn status with its latest funding round.

NIST NVD & CVE Mitre

• CVE-2026-7363 - Critical Use-after-free in Canvas in Google Chrome on Linux/ChromeOS allowing remote code execution.
• CVE-2026-7361 - Critical Use-after-free in iOS in Google Chrome allowing remote exploitation of heap corruption.
• CVE-2026-7344 - Critical Use-after-free in Accessibility in Google Chrome on Windows allowing sandbox escape.
• CVE-2026-7343 - Critical Use-after-free in Views in Google Chrome on Windows allowing sandbox escape.
• CVE-2026-41635 - Critical CVSS 9.8 arbitrary code execution vulnerability in Apache MINA.
• CVE-2026-33694 - Arbitrary code execution vulnerability in Tenable Nessus and Nessus Agent on Windows.

PoC-in-GitHub & GitHub Advisories

• ZeroPathAI/nifi-CVE-2026-39816-poc - PoC for NiFi vulnerability allowing users without execute permissions to run arbitrary scripts.
• nightcorefan94/CVE-2026-6770 - PoC for IndexedDB vulnerability in Firefox and Thunderbird.
• LACHHAB-Anas/Exploit_CVE-2026-3854 - RCE exploit for GitHub Enterprise Server via improper neutralization of push option values.
• 0xBlackash/CVE-2026-41462 - SQL injection vulnerability in ProjeQtor login functionality allowing unauthenticated RCE.
• SecTestAnnaQuinn/Grassmarlin-CVE-2026-6807-XXE-POC - XXE vulnerability in GRASSMARLIN v3.2.1 for sensitive information exposure.
• murrez/CVE-2026-1306 - Arbitrary file upload and RCE in WordPress midi-Synth plugin.
• CVE-2025-9773 - Security flaw in RemoteClinic up to 2.0 published today.
• CVE-2025-9747 - Vulnerability in Koillection up to 1.6.18 published today.

GitHub Search (CVE-2026/2025 Created Today)

• gl1tch0x1/PHP_8.1.x_Exploit - Automated detection and exploitation of critical PHP vulnerabilities including CVE-2025-14177.

Exploit-DB & Packet Storm Security

• openSUSE-SU-2026:20629-1 - MariaDB security update for CVE-2026-32710.
• openSUSE-SU-2026:10628-1 - Pocketbase security issues fixed in CVE-2026-33809.
• AdGuard Home h2c Upgrade Authentication Bypass - Exploit for CVE-2026-32136 affecting AdGuard Home versions prior to 0.107.73.
• Logic-to-Code Execution via Indirect Prompt Injection - Whitepaper on achieving RCE in LLM implementations via indirect prompt injection.

GhostTroops/TOP (Trending Offensive Projects)

• CVE-2026-41651 - Trending offensive project updated today.
• CVE-2025-55182 - Full RCE PoC for RSC/Next.js vulnerability updated today.
• CVE-2025-55182-research - Research and PoC for Next.js RCE updated today.

p