Cyber Intelligence

The latest Cyber Intelligence news, releases and research, aggregated in real time from open sources by FiveThink.

• GHSA-g6qx-g4pr-92v7 (CVE-2026-48146): Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection GitHub Advisories · Cyber Intelligence · Jun 12, 2026
• GHSA-98xf-r82g-9mhx (CVE-2026-48121): LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access GitHub Advisories · Cyber Intelligence · Jun 12, 2026
• GHSA-9r4w-jg96-92mv: Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList() GitHub Advisories · Cyber Intelligence · Jun 12, 2026
• GHSA-2gr4-ppc7-7mhx (CVE-2026-48062): CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule GitHub Advisories · Cyber Intelligence · Jun 11, 2026
• CVE-2026-50545: Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions NVD · Cyber Intelligence · Jun 10, 2026
• CVE-2026-20253: In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 an NVD · Cyber Intelligence · Jun 10, 2026
• GHSA-hv8m-jj95-wg3x (CVE-2026-48109): MessagePack's LZ4 decompression may fail with AccessViolationException after dereferencing memory from bad input GitHub Advisories · Cyber Intelligence · Jun 11, 2026
• GHSA-r236-5pc3-3qcp (CVE-2026-11401): AWS Advanced Go Wrapper has Privilege Escalation in Aurora PostgreSQL instance GitHub Advisories · Cyber Intelligence · Jun 11, 2026
• GHSA-9gw6-46qc-99vr (CVE-2026-48039): Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token GitHub Advisories · Cyber Intelligence · Jun 11, 2026
• CVE-2026-50638: Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. Th NVD · Cyber Intelligence · Jun 10, 2026
• GHSA-4r3c-5hpg-58qr (CVE-2026-48110): Russh SSH message fields were decoded through allocation-first parsers before field-specific bounds GitHub Advisories · Cyber Intelligence · Jun 11, 2026
• GHSA-4x76-22x2-rx8v (CVE-2026-48054): OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri GitHub Advisories · Cyber Intelligence · Jun 11, 2026
• GHSA-jvc5-6g7q-c843 (CVE-2026-48030): Pheditor: OS Command Injection in terminal handler via unsanitized 'dir' parameter GitHub Advisories · Cyber Intelligence · Jun 9, 2026
• GHSA-598g-h2vc-h5vg (CVE-2026-47724): nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation GitHub Advisories · Cyber Intelligence · Jun 8, 2026
• CVE-2026-20251: In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 1 NVD · Cyber Intelligence · Jun 10, 2026
• CVE-2026-6893: A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by provid NVD · Cyber Intelligence · Jun 10, 2026
• GHSA-g628-r368-6vh7 (CVE-2025-27511): GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection GitHub Advisories · Cyber Intelligence · Jun 11, 2026
• GHSA-wxq4-cc2q-338q (CVE-2026-48099): WsgiDAV encoded dot segments can escape filesystem share roots GitHub Advisories · Cyber Intelligence · Jun 11, 2026
• CVE-2026-45567: Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and NVD · Cyber Intelligence · Jun 10, 2026
• CVE-2026-46558: Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset auth NVD · Cyber Intelligence · Jun 10, 2026
• GHSA-542p-wvx7-72m4 (CVE-2026-48060): Litestar has HTML Injection Through its CSRF Token GitHub Advisories · Cyber Intelligence · Jun 10, 2026
• CVE-2026-45062: FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos( NVD · Cyber Intelligence · Jun 10, 2026
• GHSA-mqq6-462x-jxmm (CVE-2026-48031): Go Restful API Boilerplate: Hardcoded JWT Secret "random" Allows Token Forgery GitHub Advisories · Cyber Intelligence · Jun 10, 2026
• GHSA-g9g7-5cgw-6v28 (CVE-2026-48107): Russh: Unchecked keyboard-interactive prompt count in client auth path GitHub Advisories · Cyber Intelligence · Jun 11, 2026
• GHSA-7q3w-xqjw-g3cr (CVE-2026-48067): Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields GitHub Advisories · Cyber Intelligence · Jun 11, 2026
• GHSA-cxh2-4639-vmc5 (CVE-2026-47701): OpenTelemetry Operator for Kubernetes's ServiceMonitor bearerTokenFile reads arbitrary local file and sends contents as bearer auth GitHub Advisories · Cyber Intelligence · Jun 10, 2026
• GHSA-hrj8-hjv8-mgwc (CVE-2026-47252): Anyquery: AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin GitHub Advisories · Cyber Intelligence · Jun 8, 2026
• CVE-2026-2049: GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allow NVD · Cyber Intelligence · Jun 10, 2026
• CVE-2026-44692: Sharp is a content management framework built for Laravel as a package. Prior to version 9.22.0, Sharp exposes NVD · Cyber Intelligence · Jun 10, 2026
• GHSA-5375-pq7m-f5r2 (CVE-2026-48068): @grpc/grpc-js: A malformed request can cause a server crash GitHub Advisories · Cyber Intelligence · Jun 11, 2026