Offensive Sequence

@offseq.bsky.social

10 hours ago

CVE-2026-5558: SQL Injection in PHPGurukul PHPGurukul Online Shopping Portal Pro A flaw has been found in PHPGurukul PHPGurukul Online Shopping Portal Project up to 2.1. Impacted is an unknown function of the file /pending-orders.php of the component Parameter Handler. This manipulation of the argument ID causes sql inj

MEDIUM severity SQL injection in PHPGurukul Online Shopping Portal (2.0, 2.1). Exploit code public — remote attackers may target /pending-orders.php. Review and secure your instances: radar.offseq.com/threat/cve-2026-5558-sql... #OffSeq #SQLInjection...

Offensive Sequence

@offseq.bsky.social

12 hours ago

CVE-2026-5550: Stack-based Buffer Overflow in Tenda AC10 The vulnerability CVE-2026-5550 affects Tenda AC10 routers running firmware version 16.03.10.10_multi_TDE01. It is a stack-based buffer overflow in the fromSysToolChangePwd function of the /bin/httpd binary. The flaw can be exploited remote

Tenda AC10 routers (v16.03.10.10_multi_TDE01) hit by HIGH severity buffer overflow — remote code execution possible. No fix yet. Limit remote access & monitor for threats. radar.offseq.com/threat/cve-2026-5550-sta... #OffSeq #routersecurity

Offensive Sequence

@offseq.bsky.social

13 hours ago

CVE-2026-5425: CWE-79 Improper Neutralization of Input During Web Page Generatio CVE-2026-5425 is a stored cross-site scripting vulnerability in the trustindex Widgets for Social Photo Feed WordPress plugin affecting all versions up to 1.7.9. The issue is due to improper neutralization of input in the 'feed_data' parame

HIGH severity XSS in trustindex Widgets for Social Photo Feed (≤1.7.9) lets unauthenticated attackers inject scripts via 'feed_data'. No patch yet — disable plugin ASAP. radar.offseq.com/threat/cve-2026-5425-cwe... #OffSeq #WordPress #XSS

Offensive Sequence

@offseq.bsky.social

15 hours ago

CVE-2026-5544: Stack-based Buffer Overflow in UTT HiPER 1250GW This vulnerability involves a stack-based buffer overflow in the UTT HiPER 1250GW device firmware versions up to 3.2.7-210907-180535. The issue arises from improper handling of the Profile argument in a function related to /goform/formRemot

UTT HiPER 1250GW (≤ v3.2.7-210907-180535) faces HIGH severity stack-based buffer overflow risk. Remote exploit possible, public code out. Restrict access & await vendor fix. radar.offseq.com/threat/cve-2026-5544-sta... #OffSeq #Vulnerability #NetSec

Offensive Sequence

@offseq.bsky.social

16 hours ago

CVE-2026-3445: CWE-862 Missing Authorization in properfraction Paid Membership P CVE-2026-3445 is a missing authorization vulnerability (CWE-862) in the ProfilePress WordPress plugin that enables authenticated attackers to bypass payment for paid lifetime membership plans. The flaw arises from the lack of ownership veri

ProfilePress WordPress plugin hit by HIGH severity vuln: subscribers can get paid memberships without paying. No patch yet — restrict user roles & monitor activity. More: radar.offseq.com/threat/cve-2026-3445-cwe... #OffSeq #WordPress #Security

Offensive Sequence

@offseq.bsky.social

18 hours ago

CVE-2026-1233: CWE-798 Use of Hard-coded Credentials in mvirik Text to Speech – CVE-2026-1233 identifies a vulnerability in the Text to Speech for WP (AI Voices by Mementor) plugin for WordPress, versions up to 1.9.8. The plugin's Mementor_TTS_Remote_Telemetry class contains hardcoded MySQL database credentials for the

Text to Speech for WP plugin ≤1.9.8 has HIGH severity flaw: hardcoded MySQL creds allow attackers write access to telemetry DB. Disable or restrict until patched. radar.offseq.com/threat/cve-2026-1233-cwe... #OffSeq #WordPress #Vuln

Offensive Sequence

@offseq.bsky.social

19 hours ago

CVE-2026-2936: CWE-79 Improper Neutralization of Input During Web Page Generatio CVE-2026-2936 is a stored cross-site scripting vulnerability in the Visitor Traffic Real Time Statistics plugin for WordPress, affecting all versions up to and including 8.4. The issue stems from improper neutralization of input in the 'pag

HIGH severity XSS in Visitor Traffic Real Time Statistics WP plugin (≤8.4). Unauth attackers can inject persistent scripts via 'page_title'. No patch — restrict access or disable plugin for now. radar.offseq.com/threat/cve-2026-2936-cwe... #OffSeq #W...

Offensive Sequence

@offseq.bsky.social

21 hours ago

CVE-2026-3666: CWE-22 Improper Limitation of a Pathname to a Restricted Director CVE-2026-3666 is a path traversal vulnerability in the wpForo Forum WordPress plugin that permits authenticated users with subscriber-level privileges or above to delete arbitrary files on the server. The issue arises from inadequate valida

wpForo Forum plugin hit by HIGH severity path traversal vuln — subscriber users can delete any server file. No fix yet — restrict user permissions & monitor activity. More: radar.offseq.com/threat/cve-2026-3666-cwe... #OffSeq #WordPress #Security

Offensive Sequence

@offseq.bsky.social

1 day ago

CVE-2026-25197: CWE-639 in Gardyn Cloud API This vulnerability in the Gardyn Cloud API allows authenticated users to bypass access controls by altering the ID number in an API call, enabling unauthorized access to other users' profiles. It is classified as CWE-639, which involves aut

Gardyn Cloud API CRITICAL flaw: Authenticated users can access other profiles by changing the ID parameter. No fix yet — restrict endpoint access & monitor for misuse. radar.offseq.com/threat/cve-2026-25197-cw... #OffSeq #APIsecurity #CVE202625197

Offensive Sequence

@offseq.bsky.social

1 day ago

CVE-2026-34612: CWE-89: Improper Neutralization of Special Elements used in an S Kestra, an open-source event-driven orchestration platform, has a SQL Injection vulnerability (CWE-89) in its default docker-compose deployment prior to version 1.3.7. The flaw exists in the GET /api/v1/main/flows/search endpoint, where an

CRITICAL: Kestra < 1.3.7 vulnerable to SQL Injection (CVSS 10). Authenticated users can achieve RCE. Upgrade to v1.3.7 now to stay protected! radar.offseq.com/threat/cve-2026-34612-cw... #OffSeq #Kestra #SQLInjection

Offensive Sequence

@offseq.bsky.social

1 day ago

CVE-2026-34935: CWE-78: Improper Neutralization of Special Elements used in an O PraisonAI, a multi-agent teams system, versions from 4.5.15 to before 4.5.69, improperly handle the --mcp command-line argument by forwarding it directly to shlex.split() and subsequently to anyio.open_process() without any validation, allo

🚨 CRITICAL alert: PraisonAI v4.5.15 - <4.5.69 has OS command injection (CVE-2026-34935). Attackers can run arbitrary commands. Update to 4.5.69+ ASAP! radar.offseq.com/threat/cve-2026-34935-cw... #OffSeq #CVE202634935 #PraisonAI

Offensive Sequence

@offseq.bsky.social

1 day ago

CVE-2026-34934: CWE-89: Improper Neutralization of Special Elements used in an S The vulnerability CVE-2026-34934 in PraisonAI versions before 4.5.90 involves improper neutralization of special elements in SQL commands (CWE-89). Specifically, the get_all_user_threads function uses Python f-strings to build raw SQL queri

CRITICAL: PraisonAI <4.5.90 vulnerable to unauthenticated SQL injection, risking full DB compromise. Patch to 4.5.90+ now. Details: radar.offseq.com/threat/cve-2026-34934-cw... #OffSeq #security #SQLInjection

Offensive Sequence

@offseq.bsky.social

1 day ago

CVE-2026-34938: CWE-693: Protection Mechanism Failure in MervinPraison PraisonAI PraisonAI versions before 1.5.90 contain a protection mechanism failure (CWE-693) in the execute_code() function of the praisonai-agents component. The sandbox intended to restrict execution can be bypassed by passing a specially crafted st

PraisonAI <1.5.90 hit by CRITICAL vuln: sandbox bypass in execute_code() enables OS command execution. Patch to v1.5.90+ now! 🛡️ radar.offseq.com/threat/cve-2026-34938-cw... #OffSeq #CVE202634938 #PraisonAI

Offensive Sequence

@offseq.bsky.social

1 day ago

CVE-2026-34952: CWE-306: Missing Authentication for Critical Function in MervinP PraisonAI versions before 4.5.97 expose critical functions without authentication on the Gateway server endpoints /ws and /info. This lack of authentication (CWE-306) enables unauthenticated remote attackers to connect via WebSocket, enumer

CRITICAL: PraisonAI < 4.5.97 lets unauthenticated users connect to /ws & /info, exposing agent data & control. Upgrade to 4.5.97+ now for protection. radar.offseq.com/threat/cve-2026-34952-cw... #OffSeq #PraisonAI #Vulnerability

Offensive Sequence

@offseq.bsky.social

1 day ago

CVE-2026-35616: Escalation of privilege in Fortinet FortiClientEMS This vulnerability in Fortinet FortiClientEMS 7.4.5 and 7.4.6 arises from improper access control that permits unauthenticated attackers to execute unauthorized code or commands by sending specially crafted requests. The CVSS 3.1 vector ind

🚨 Fortinet FortiClientEMS 7.4.5 – 7.4.6: CRITICAL flaw lets unauthenticated attackers run code. Patch now to avoid system compromise! Fix available from Fortinet: radar.offseq.com/threat/cve-2026-35616-es... #OffSeq #Fortinet #SecurityAlert

Offensive Sequence

@offseq.bsky.social

1 day ago

CVE-2026-34953: CWE-863: Incorrect Authorization in MervinPraison PraisonAI CVE-2026-34953 is an incorrect authorization vulnerability (CWE-863) in MervinPraison's PraisonAI multi-agent teams system. Before version 4.5.97, the OAuthManager.validate_token() method returns true for any bearer token not found in its i

CRITICAL: PraisonAI <4.5.97 lets any bearer token bypass auth, granting full access to agents & tools. Upgrade to 4.5.97+ immediately to patch CVE-2026-34953. radar.offseq.com/threat/cve-2026-34953-cw... #OffSeq #CVE202634953 #security

Offensive Sequence

@offseq.bsky.social

2 days ago

CVE-2026-34745: CWE-22: Improper Limitation of a Pathname to a Restricted Direct CVE-2026-34745 is a path traversal vulnerability classified under CWE-22 affecting the fireshare self-hosted media and link sharing platform developed by ShaneIsrael. The vulnerability arises from improper validation of the pathname in the

CRITICAL: ShaneIsrael fireshare (<1.5.3) path traversal lets attackers write files on your server via an unauthenticated API. Upgrade to 1.5.3 fast! Details: radar.offseq.com/threat/cve-2026-34745-cw... #OffSeq #CVE202634745 #patchnow

Offensive Sequence

@offseq.bsky.social

2 days ago

CVE-2026-34838: CWE-502: Deserialization of Untrusted Data in Intermesh groupoff CVE-2026-34838 is a critical vulnerability in Intermesh's Group-Office product, specifically in the AbstractSettingsCollection model responsible for loading configuration settings. The flaw is due to insecure deserialization of untrusted da

CRITICAL: Group-Office (all before 6.8.156/25.0.90/26.0.12) has a deserialization flaw leading to RCE. Authenticated attackers can take over servers. Update immediately! 🔥 radar.offseq.com/threat/cve-2026-34838-cw... #OffSeq #Security #PatchNow

Offensive Sequence

@offseq.bsky.social

2 days ago

CVE-2026-32213: CWE-285: Improper Authorization in Microsoft Azure AI Foundry CVE-2026-32213 is an improper authorization vulnerability classified under CWE-285 affecting Microsoft Azure AI Foundry, a cloud-based AI platform. The vulnerability allows an attacker to bypass authorization controls and elevate privileges

Azure AI Foundry faces CRITICAL CVE-2026-32213: attackers can elevate privileges remotely. Restrict access, monitor logs, and review permissions ASAP. radar.offseq.com/threat/cve-2026-32213-cw... #OffSeq #Azure #CloudSecurity

Offensive Sequence

@offseq.bsky.social

2 days ago

CVE-2026-5463: CWE-77 Improper neutralization of special elements leading to com This vulnerability (CVE-2026-5463) in Dan McInerney's pymetasploit3 library arises from improper neutralization of special elements (CWE-77) in the console.run_module_with_output() function. Attackers can inject newline characters into modu

CRITICAL: pymetasploit3 ≤1.0.6 command injection flaw lets attackers execute arbitrary commands via crafted input. Avoid untrusted input, monitor for official fixes. radar.offseq.com/threat/cve-2026-5463-cwe... #OffSeq #CVE20265463 #security

Offensive Sequence

@offseq.bsky.social

2 days ago

CVE-2026-33107: CWE-918: Server-Side Request Forgery (SSRF) in Microsoft Azure D CVE-2026-33107 is a critical Server-Side Request Forgery (SSRF) vulnerability identified in Microsoft Azure Databricks, a cloud-based data analytics platform widely used for big data processing and machine learning workloads. SSRF vulnerabi

CRITICAL SSRF (CVE-2026-33107) in Azure Databricks exposes internal resources — no auth needed. Restrict outbound traffic, monitor anomalies, and patch ASAP when available. radar.offseq.com/threat/cve-2026-33107-cw... #OffSeq #Azure #CloudSecurity

Offensive Sequence

@offseq.bsky.social

2 days ago

CVE-2026-26135: CWE-918: Server-Side Request Forgery (SSRF) in Microsoft Azure C CVE-2026-26135 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, affecting the Microsoft Azure Custom Locations Resource Provider (RP). SSRF vulnerabilities occur when an attacker can abuse a server to send una

Critical SSRF in Azure Custom Locations Resource Provider (CVSS 9.6) enables privilege escalation & internal access. Patch ASAP, tighten permissions, segment networks. radar.offseq.com/threat/cve-2026-26135-cw... #OffSeq #Azure #CloudSecurity

Offensive Sequence

@offseq.bsky.social

2 days ago

CVE-2026-33105: CWE-285: Improper Authorization in Microsoft Azure Kubernetes Se CVE-2026-33105 is a critical security vulnerability classified under CWE-285 (Improper Authorization) affecting Microsoft Azure Kubernetes Service (AKS). This vulnerability allows an attacker to bypass authorization controls remotely over t

Azure Kubernetes Service faces a CRITICAL improper authorization flaw — remote attackers could seize cluster control (CVSS 10). No patch yet. Tighten access, monitor logs, segment networks! radar.offseq.com/threat/cve-2026-33105-cw... #OffSeq #Azure ...

Offensive Sequence

@offseq.bsky.social

2 days ago

CVE-2026-32211: CWE-306: Missing Authentication for Critical Function in Microso CVE-2026-32211 is a vulnerability identified in Microsoft Azure Web Apps, specifically involving the Azure MCP Server component. The root cause is a missing authentication mechanism on a critical function, categorized under CWE-306 (Missing

CRITICAL: CVE-2026-32211 in Azure Web Apps allows remote data disclosure via missing authentication. No exploits yet — monitor advisories, restrict access, and prep for patches! 🔒 radar.offseq.com/threat/cve-2026-32211-cw... #OffSeq #Azure #CloudSecu...

Offensive Sequence

@offseq.bsky.social

3 days ago

CVE-2026-34564: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-34564 is a stored DOM-based cross-site scripting vulnerability affecting ci4ms, a CMS built on the CodeIgniter 4 framework. The flaw exists in versions prior to 0.31.0.0 within the Menu Management functionality, where user-controll

ci4ms CMS < 0.31.0.0 faces CRITICAL stored XSS (CVE-2026-34564). Exploitable via Menu Management with low privileges. Update to 0.31.0.0+ & check for script injections ASAP! radar.offseq.com/threat/cve-2026-34564-cw... #OffSeq #XSS #infosec

Offensive Sequence

@offseq.bsky.social

3 days ago

CVE-2026-34565: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-34565 is a stored DOM-based cross-site scripting vulnerability affecting ci4ms, a CMS built on the CodeIgniter 4 framework. The vulnerability arises from improper neutralization of user-controlled input during web page generation,

Critical XSS found in ci4ms (<0.31.0.0): Low-priv users can inject persistent scripts in menus, risking admin & user data. Upgrade to 0.31.0.0+ immediately. radar.offseq.com/threat/cve-2026-34565-cw... #OffSeq #XSS #AppSec

Offensive Sequence

@offseq.bsky.social

3 days ago

CVE-2026-34566: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-34566 is a stored cross-site scripting (XSS) vulnerability identified in ci4ms, a CMS built on the CodeIgniter 4 framework. The vulnerability stems from the application’s failure to properly neutralize user-supplied input within th

ci4ms < 0.31.0.0 hit by critical stored XSS (CVSS 9.1). Attackers can inject persistent JavaScript via Page Management. Patch to 0.31.0.0+ & review content now! radar.offseq.com/threat/cve-2026-34566-cw... #OffSeq #XSS #Security

Offensive Sequence

@offseq.bsky.social

3 days ago

CVE-2026-34567: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-34567 is a stored cross-site scripting (XSS) vulnerability identified in ci4ms, a CMS built on the CodeIgniter 4 framework. The vulnerability arises from improper neutralization of user-supplied input during web page generation, sp

ci4ms < 0.31.0.0 hit by CRITICAL XSS (CVE-2026-34567) — attackers can inject persistent JavaScript via blog categories. Upgrade & audit now! radar.offseq.com/threat/cve-2026-34567-cw... #OffSeq #XSS #security

Offensive Sequence

@offseq.bsky.social

3 days ago

CVE-2026-34568: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-34568 is a stored cross-site scripting (XSS) vulnerability identified in ci4ms, a modular CMS built on the CodeIgniter 4 framework. The vulnerability arises from improper neutralization of user-controlled input during blog post cre

Critical XSS in ci4ms (<0.31.0.0): attackers can inject persistent JS via blog posts. Upgrade to 0.31.0.0 ASAP to block data theft & session hijacking. Details: radar.offseq.com/threat/cve-2026-34568-cw... #OffSeq #XSS #security

Offensive Sequence

@offseq.bsky.social

3 days ago

CVE-2026-34569: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-34569 is a critical stored cross-site scripting (XSS) vulnerability affecting ci4ms, a CMS built on the CodeIgniter 4 framework. The vulnerability arises from improper neutralization of user input during web page generation, specif

ci4ms CMS <0.31.0.0 has CRITICAL XSS (CVE-2026-34569): attackers can inject JS in blog categories, risking total compromise. Patch now! radar.offseq.com/threat/cve-2026-34569-cw... #OffSeq #XSS #CMSecurity