cve-news
Exploit CVE-2026-44109 : OpenClaw Feishu Webhook Authentication Bypass to RCE
A technical breakdown of CVE-2026-44109, a CVSS 9.2 Critical authentication bypass vulnerability in OpenClaw (< 2026.4.15). Two fail-open logic inversions in the Feishu/Lark plugin — one in the webhook signature validator and one in the card-action replay guard — allow an unauthenticated attacker to inject arbitrary events into OpenClaw's command dispatch engine. When the bot has execution tools enabled, this translates directly to unauthenticated remote code execution on the host machine with the privileges of the OpenClaw process.
Thu 07 May 2026
CVE-2026-5205: Critical SSRF in Chatwoot — How a Single Upload Parameter Exposes Cloud Credentials
A deep dive into a critical Server-Side Request Forgery (SSRF) vulnerability in Chatwoot's upload...
Wed 29 April 2026
Twenty CRM Serverless Functions Expose Critical RCE and Permanent Unauthenticated Backdoor Risk (CVE-2026-26720) - PoC & Exploit
A technical breakdown of CVE-2026-26720, a CVSS 9.8 Critical authenticated Remote Code Execution ...
Wed 15 April 2026
New Roundcube Webmail Vulnerabilities Disclosed : IMAP Command Injection and SSRF via CSS Proxying.
A deep dive into two critical vulnerabilities uncovered in Roundcube Webmail (< 1.6.14, 1.5.14, 1...
Wed 08 April 2026
CVE-2026-27971 : Qwik server$ Unauthenticated Remote Code Execution
A technical breakdown of CVE-2026-27971, a CVSS 9.2 critical unauthenticated remote code execution vulnerability in Qwik (< 1.19.1). Unsafe deserialization in the server$ RPC flow allows attacker-controlled QRL objects to be reconstructed from application/qwik-json requests, enabling arbitrary module path and symbol resolution and, where require() is available,remote code execution via crafted server-side function invocation.
CVE-2026-2599 : Unauthenticated PHP Object Injection → WP_HTML_Token POP Chain
A technical breakdown of CVE-2026-2599, a CVSS 9.8 Critical unauthenticated PHP Object Injection vulnerability in the "Contact Form Entries" WordPress plugin (≤ 1.4.7). The download_csv function deserializes untrusted user input without allowed_classes restrictions. When combined with WordPress 6.4.0-6.4.1, the built-in WP_HTML_Token class provides a complete all-public POP chain leading to full Remote Code Execution via two unauthenticated HTTP requests.
Latest posts
Exploit CVE-2025-68461 : Roundcube Webmail SVG Animate XSS Sanitizer Bypass
A technical breakdown of CVE-2025-68461, a CVSS 7.2 high stored Cross-Site Scripting vulnerability in Roundcube Webmail (< 1.5.12 and < 1.6.12). The rcube_washtml sanitizer blocks SVG \
Tue 17 March 2026
GHSA-cr3w-cw5w-h3fj: 1-Click RCE in Saltcorn
Analysis of GHSA-cr3w-cw5w-h3fj, a CVSS 9.7 critical XSS-to-RCE vulnerability in Saltcorn (≤ 1.5.0-beta.19). Two chained flaws, reflected XSS in route parameters and command injection in backup generation, enable remote code execution via administrator phishing.
Wed 11 March 2026
CVE-2026-26019 : LangChain RecursiveUrlLoader Server-Side Request Forgery Vulnerability
A technical breakdown of CVE-2026-26019, a CVSS 4.1 medium Server-Side Request Forgery vulnerability in the LangChain Community JavaScript package (< 1.1.14). The RecursiveUrlLoader class uses a naive string prefix check to validate crawled URLs, allowing an attacker to bypass the default preventOutside restriction with a suffixed domain and redirect the crawler to internal network assets, potentially exposing sensitive credentials and metadata endpoints.
Wed 04 March 2026
CVE-2025-64712: Path Traversal RCE in Unstructured Library MSG Processing
A technical breakdown of CVE-2025-64712, a CVSS 9.8 critical path traversal remote code execution vulnerability in the Unstructured Python library (< 0.18.18). Unsanitized attachment filenames in Outlook MSG processing allow for path traversal, enabling an attacker to overwrite arbitrary files via a crafted MSG file and achieve code execution.
Mon 23 February 2026
CVE-2026-1357: Unauthenticated RCE in WPvivid Backup Plugin
A technical breakdown of CVE-2026-1357, a CVSS 9.8 critical unauthenticated remote code execution vulnerability in the WPvivid Backup & Migration plugin (≤ 0.9.123). Two chained flaws, a cryptographic fail-open and an unsanitized path traversal, allow arbitrary file write and shell upload without credentials.
Fri 20 February 2026