{"version":"https://jsonfeed.org/version/1.1","title":"Lyrie Research","home_page_url":"https://research.lyrie.ai","feed_url":"https://research.lyrie.ai/api/feed.json","items":[{"id":"https://research.lyrie.ai/research/cve-2026-34615-adobe-connect","url":"https://research.lyrie.ai/research/cve-2026-34615-adobe-connect","title":"CRITICAL: CVE-2026-34615 (CVSS 9.3) — adobe connect","summary":"Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.","content_text":"# CRITICAL: CVE-2026-34615 (CVSS 9.3) — adobe connect\n\n**CVE:** CVE-2026-34615 \n**CVSS:** 9.3 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n- adobe connect\n- apple macos\n- microsoft windows\n- adobe connect desktop application\n\n## Summary\nAdobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-34615)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-34615)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-34615)\n\n## References\n- https://helpx.adobe.com/security/products/connect/apsb26-37.html\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-04-14T18:17:36.373","date_modified":"2026-04-28T03:16:04.310","tags":["adobe","apple","microsoft","critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-27303-adobe-connect","url":"https://research.lyrie.ai/research/cve-2026-27303-adobe-connect","title":"CRITICAL: CVE-2026-27303 (CVSS 9.6) — adobe connect","summary":"Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.","content_text":"# CRITICAL: CVE-2026-27303 (CVSS 9.6) — adobe connect\n\n**CVE:** CVE-2026-27303 \n**CVSS:** 9.6 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n- adobe connect\n- apple macos\n- microsoft windows\n- adobe connect desktop application\n\n## Summary\nAdobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-27303)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-27303)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-27303)\n\n## References\n- https://helpx.adobe.com/security/products/connect/apsb26-37.html\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-04-14T18:16:56.633","date_modified":"2026-04-28T03:16:04.187","tags":["adobe","apple","microsoft","critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-27246-adobe-connect","url":"https://research.lyrie.ai/research/cve-2026-27246-adobe-connect","title":"CRITICAL: CVE-2026-27246 (CVSS 9.3) — adobe connect","summary":"Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.","content_text":"# CRITICAL: CVE-2026-27246 (CVSS 9.3) — adobe connect\n\n**CVE:** CVE-2026-27246 \n**CVSS:** 9.3 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n- adobe connect\n- apple macos\n- microsoft windows\n- adobe connect desktop application\n\n## Summary\nAdobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-27246)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-27246)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-27246)\n\n## References\n- https://helpx.adobe.com/security/products/connect/apsb26-37.html\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-04-14T18:16:56.050","date_modified":"2026-04-28T03:16:04.073","tags":["adobe","apple","microsoft","critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-27245-adobe-connect","url":"https://research.lyrie.ai/research/cve-2026-27245-adobe-connect","title":"CRITICAL: CVE-2026-27245 (CVSS 9.3) — adobe connect","summary":"Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.","content_text":"# CRITICAL: CVE-2026-27245 (CVSS 9.3) — adobe connect\n\n**CVE:** CVE-2026-27245 \n**CVSS:** 9.3 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n- adobe connect\n- apple macos\n- microsoft windows\n- adobe connect desktop application\n\n## Summary\nAdobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-27245)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-27245)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-27245)\n\n## References\n- https://helpx.adobe.com/security/products/connect/apsb26-37.html\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-04-14T18:16:55.890","date_modified":"2026-04-28T03:16:03.960","tags":["adobe","apple","microsoft","critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-27243-adobe-connect","url":"https://research.lyrie.ai/research/cve-2026-27243-adobe-connect","title":"CRITICAL: CVE-2026-27243 (CVSS 9.3) — adobe connect","summary":"Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.","content_text":"# CRITICAL: CVE-2026-27243 (CVSS 9.3) — adobe connect\n\n**CVE:** CVE-2026-27243 \n**CVSS:** 9.3 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n- adobe connect\n- apple macos\n- microsoft windows\n- adobe connect desktop application\n\n## Summary\nAdobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-27243)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-27243)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-27243)\n\n## References\n- https://helpx.adobe.com/security/products/connect/apsb26-37.html\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-04-14T18:16:55.730","date_modified":"2026-04-28T03:16:03.840","tags":["adobe","apple","microsoft","critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/glassworm-73-openvsx-2026-04-28","url":"https://research.lyrie.ai/research/glassworm-73-openvsx-2026-04-28","title":"GlassWorm escalates: 73 Open VSX sleeper extensions deploy malware to VS Code, Cursor, and every VSIX IDE","summary":"73 sleeper extensions on Open VSX tied to GlassWorm: 6 actively deploying malware, 67 dormant, 2 IOC SHA256s confirmed. No patch — manual mitigation required.","content_text":"**Published:** April 28, 2026 \n**Author:** Lyrie Research (research.lyrie.ai) \n**Stream:** AI Threats \n**Status:** Actively exploited — no vendor patch available \n**IOC SHA256 (native binary):** `1b62b7c2ed7cc296ce821f977ef7b22bae59ef1dcdb9a34ae19467ee39bcf168` \n**IOC SHA256 (VSIX payload):** `97c275e3406ad6576529f41604ad138c5bdc4297d195bf61b049e14f6b30adfd`\n\n---\n\n## TL;DR\n\nSocket Research identified 73 malicious extensions on Open VSX — the Eclipse-backed alternative to the Microsoft Marketplace — as part of an active GlassWorm campaign first disclosed on April 25, 2026. Six are already weaponized and pulling second-stage payloads from `github.com/SquadMagistrate10/wnxtgkih`; the remaining 67 are dormant, pre-positioned on developer machines, and can activate at any time without a new install. The VSIX format means every IDE that accepts VSIX packages is exposed: Microsoft VS Code, Anysphere Cursor, Codeium Windsurf, OpenVSCode-Server. No CVE is assigned — this is a campaign-class attack, and there is no vendor patch. Mitigation is manual.\n\n---\n\n## What is GlassWorm and why this campaign is different\n\nGlassWorm is a persistent threat actor group known for targeting developer toolchains through software supply-chain manipulation. Prior campaigns — documented as far back as 2024 — focused on PyPI typosquats and npm package poisoning targeting specific framework communities. The April 2026 wave is different in three ways.\n\n**First, the distribution channel.** Open VSX Registry, maintained by the Eclipse Foundation, hosts extensions compatible with any VS Code-derived IDE. It was created specifically to serve IDEs that cannot or will not use Microsoft's proprietary Marketplace — Cursor, Windsurf, Gitpod, OpenVSCode-Server, VSCodium, all rely on it. Open VSX operates with a significantly lighter review process than the official Microsoft Marketplace. GlassWorm chose it not despite its smaller footprint, but because of it: lower review friction, high-trust reputatio","date_published":"2026-04-28T03:01:00.000Z","date_modified":"2026-04-28T03:01:00.000Z","tags":["glassworm","open-vsx","supply-chain","vsix","vs-code","cursor","agentic-coding","actively-exploited"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/agent-threats-layerwise-convergence-fingerprints-for-runtime-misbehavior-d-2026-","url":"https://research.lyrie.ai/research/agent-threats-layerwise-convergence-fingerprints-for-runtime-misbehavior-d-2026-","title":"Layerwise Convergence Fingerprints for Runtime Misbehavior Detection in Large Language Models","summary":"Large language models deployed at runtime can misbehave in ways that clean-data validation cannot anticipate: training-time backdoors lie dormant until triggered, jailbreaks subvert safety alignment, ","content_text":"# Layerwise Convergence Fingerprints for Runtime Misbehavior Detection in Large Language Models\n\n_AI Threats — being enriched by Lyrie Threat Intelligence._","date_published":"2026-04-28T02:30:04.668Z","date_modified":"2026-04-28T02:30:04.668Z","tags":["agent-threats"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/agent-threats-mas-szz-multi-agentic-szz-algorithm-for-vulnerability-induc-2026-0","url":"https://research.lyrie.ai/research/agent-threats-mas-szz-multi-agentic-szz-algorithm-for-vulnerability-induc-2026-0","title":"MAS-SZZ: Multi-Agentic SZZ Algorithm for Vulnerability-Inducing Commit Identification","summary":"Accurate vulnerability-inducing commit identification serves as a foundation for a series of software security tasks, such as vulnerability detection and affected version analysis. A straightforward s","content_text":"# MAS-SZZ: Multi-Agentic SZZ Algorithm for Vulnerability-Inducing Commit Identification\n\n_AI Threats — being enriched by Lyrie Threat Intelligence._","date_published":"2026-04-28T02:30:04.668Z","date_modified":"2026-04-28T02:30:04.668Z","tags":["agent-threats"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/agent-threats-system-aware-contextual-digital-twin-for-ics-anomaly-diagnos-2026-","url":"https://research.lyrie.ai/research/agent-threats-system-aware-contextual-digital-twin-for-ics-anomaly-diagnos-2026-","title":"System-aware contextual digital twin for ICS anomaly diagnosis","summary":"Industrial Control Systems (ICS) integrate computing, physical processes, and communication to operate critical infrastructures such as power grids, water treatment plants, and oil and gas facilities.","content_text":"# System-aware contextual digital twin for ICS anomaly diagnosis\n\n_AI Threats — being enriched by Lyrie Threat Intelligence._","date_published":"2026-04-28T02:30:04.667Z","date_modified":"2026-04-28T02:30:04.667Z","tags":["agent-threats"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/agent-threats-agentvisor-defending-llm-agents-against-prompt-injection-vi-2026-0","url":"https://research.lyrie.ai/research/agent-threats-agentvisor-defending-llm-agents-against-prompt-injection-vi-2026-0","title":"AgentVisor: Defending LLM Agents Against Prompt Injection via Semantic Virtualization","summary":"Large Language Model (LLM) agents are increasingly used to automate complex workflows, but integrating untrusted external data with privileged execution exposes them to severe security risks, particul","content_text":"# AgentVisor: Defending LLM Agents Against Prompt Injection via Semantic Virtualization\n\n_AI Threats — being enriched by Lyrie Threat Intelligence._","date_published":"2026-04-28T02:30:04.666Z","date_modified":"2026-04-28T02:30:04.666Z","tags":["agent-threats"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/agent-threats-poster-clawdgo-endogenous-security-awareness-training-for-2026-04-","url":"https://research.lyrie.ai/research/agent-threats-poster-clawdgo-endogenous-security-awareness-training-for-2026-04-","title":"Poster: ClawdGo: Endogenous Security Awareness Training for Autonomous AI Agents","summary":"Autonomous AI agents deployed on platforms such as OpenClaw face prompt injection, memory poisoning, supply-chain attacks, and social engineering, yet existing defences address only the platform perim","content_text":"# Poster: ClawdGo: Endogenous Security Awareness Training for Autonomous AI Agents\n\n_AI Threats — being enriched by Lyrie Threat Intelligence._","date_published":"2026-04-28T02:30:04.665Z","date_modified":"2026-04-28T02:30:04.665Z","tags":["agent-threats"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-1114-lollms-lollms","url":"https://research.lyrie.ai/research/cve-2026-1114-lollms-lollms","title":"CRITICAL: CVE-2026-1114 (CVSS 9.8) — lollms lollms","summary":"In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0.","content_text":"# CRITICAL: CVE-2026-1114 (CVSS 9.8) — lollms lollms\n\n**CVE:** CVE-2026-1114 \n**CVSS:** 9.8 (3.0) — `CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n- lollms lollms\n\n## Summary\nIn parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-1114)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-1114)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-1114)\n\n## References\n- https://github.com/parisneo/lollms/commit/a3b2b82b84d537a9da63e63a370a6a8ad55fed34\n- https://huntr.com/bounties/608b2a3b-2225-438e-9e61-ffbfdec2ed89\n- https://huntr.com/bounties/608b2a3b-2225-438e-9e61-ffbfdec2ed89\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-04-07T07:16:23.633","date_modified":"2026-04-28T00:00:29.800","tags":["lollms","critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/regulator-fines-fidelity-brokerage-services-1-25m-over-data-breach","url":"https://research.lyrie.ai/research/regulator-fines-fidelity-brokerage-services-1-25m-over-data-breach","title":"Regulator fines Fidelity Brokerage Services $1.25M over data breach","summary":"Melanie Waddell reports: William Galvin, Massachusetts’ top securities regulator, ordered Fidelity Brokerage Services on Monday to pay $1.25 million for failing to enforce appropriate cybersecurity controls that resulted in a data breach affecting about 77,000 customers. &#","content_text":"# Regulator fines Fidelity Brokerage Services $1.25M over data breach\n\nSource: [DataBreaches.net](https://databreaches.net/2026/04/27/regulator-fines-fidelity-brokerage-services-1-25m-over-data-breach/?pk_campaign=feed&pk_kwd=regulator-fines-fidelity-brokerage-services-1-25m-over-data-breach) \nPublished: Mon, 27 Apr 2026 23:44:04 +0000\n\n## Summary\nMelanie Waddell reports: William Galvin, Massachusetts’ top securities regulator, ordered Fidelity Brokerage Services on Monday to pay $1.25 million for failing to enforce appropriate cybersecurity controls that resulted in a data breach affecting about 77,000 customers. “After learning of the breach, Fidelity also failed to notify many impacted residents, including the relatives and minor children...\nSource\n\n## Sources\n- [DataBreaches.net report](https://databreaches.net/2026/04/27/regulator-fines-fidelity-brokerage-services-1-25m-over-data-breach/?pk_campaign=feed&pk_kwd=regulator-fines-fidelity-brokerage-services-1-25m-over-data-breach)\n- [DataBreaches.net feed](https://databreaches.net/feed/)\n- [Lyrie threat desk](https://research.lyrie.ai/authors/lyrie-threat-intelligence)","date_published":"Mon, 27 Apr 2026 23:44:04 +0000","date_modified":"Mon, 27 Apr 2026 23:44:04 +0000","tags":["breach","databreaches-net"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-34989-ci4-cms-erp-ci4ms","url":"https://research.lyrie.ai/research/cve-2026-34989-ci4-cms-erp-ci4ms","title":"CRITICAL: CVE-2026-34989 (CVSS 9) — ci4-cms-erp ci4ms","summary":"CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This vulnerability is fixed in 31.0.0.0.","content_text":"# CRITICAL: CVE-2026-34989 (CVSS 9) — ci4-cms-erp ci4ms\n\n**CVE:** CVE-2026-34989 \n**CVSS:** 9 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n- ci4-cms-erp ci4ms\n\n## Summary\nCI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This vulnerability is fixed in 31.0.0.0.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-34989)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-34989)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-34989)\n\n## References\n- https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr\n- https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-04-06T17:17:12.037","date_modified":"2026-04-27T23:41:16.540","tags":["ci4-cms-erp","critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/agent-threats-tracescope-interactive-url-triage-via-decoupled-checklist-a-2026-0","url":"https://research.lyrie.ai/research/agent-threats-tracescope-interactive-url-triage-via-decoupled-checklist-a-2026-0","title":"TraceScope: Interactive URL Triage via Decoupled Checklist Adjudication","summary":"Modern phishing campaigns increasingly evade snapshot-based URL classifiers using interaction gates (e.g., checkbox/slider challenges), delayed content rendering, and logo-less credential harvesters. ","content_text":"# TraceScope: Interactive URL Triage via Decoupled Checklist Adjudication\n\n_AI Threats — being enriched by Lyrie Threat Intelligence._","date_published":"2026-04-27T23:18:48.198Z","date_modified":"2026-04-27T23:18:48.198Z","tags":["agent-threats"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/agent-threats-automation-exploit-a-multi-agent-llm-framework-for-adaptive-2026-0","url":"https://research.lyrie.ai/research/agent-threats-automation-exploit-a-multi-agent-llm-framework-for-adaptive-2026-0","title":"Automation-Exploit: Multi‑Agent LLMs weaponized with digital-twin guardrails","summary":"arXiv preprint details an autonomous multi‑agent LLM framework that exfiltrates binaries and uses digital twins to mitigate “live fire” exploit risk.","content_text":"## What happened\nA new arXiv preprint introduces Automation‑Exploit, a fully autonomous Multi‑Agent System (MAS) for adaptive offensive security in complex black‑box scenarios. [arXiv:2604.22427v1](http://arxiv.org/abs/2604.22427v1)\n\nThe authors argue the current ecosystem is fragmented: enterprise platforms avoid memory‑corruption classes due to DoS risk, AEG systems lack semantic grounding, and LLM agents are throttled by safety filters and “live fire” hazards. [arXiv:2604.22427v1](http://arxiv.org/abs/2604.22427v1)\n\nAutomation‑Exploit claims to bridge the abstraction gap from reconnaissance to exploitation by autonomously exfiltrating executables and orchestrating exploitation through a digital‑twin safety layer. [arXiv:2604.22427v1](http://arxiv.org/abs/2604.22427v1)\n\n## Why it matters\nIf MAS‑driven LLM agents can pull binaries out of target environments and iterate against a digital twin, they reduce the need for risky live probing during exploit development. [arXiv:2604.22427v1](http://arxiv.org/abs/2604.22427v1)\n\nBy sidestepping real‑time target instability, the framework re‑opens memory‑corruption exploitation paths typically de‑prioritized for availability reasons in enterprise operations. [arXiv:2604.22427v1](http://arxiv.org/abs/2604.22427v1)\n\nMemory‑corruption flaws can yield DoS or code execution, making risk‑managed exploitation pipelines materially impactful for both red teams and adversaries. [MITRE CWE‑787](https://cwe.mitre.org/data/definitions/787.html)\n\nBy explicitly tackling the “semantic blindness” of AEG with agentic orchestration, the system claims higher effectiveness in black‑box conditions where source and symbols are absent. [arXiv:2604.22427v1](http://arxiv.org/abs/2604.22427v1)\n\n## Technical detail\nThe framework is presented as a multi‑agent LLM system coordinating reconnaissance, binary exfiltration, exploit generation, and risk‑mitigated execution. [arXiv:2604.22427v1](http://arxiv.org/abs/2604.22427v1)\n\nIt specifically describes auto","date_published":"2026-04-27T23:18:48.197Z","date_modified":"2026-04-27T23:18:48.197Z","tags":["agent-threats","LLM","Multi-Agent","Automation-Exploit","Digital Twin","Offensive Security","AEG","Agent Threats"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/agent-threats-openclaw-mcp-stdio-server-env-could-load-dangerous-startup-2026-04","url":"https://research.lyrie.ai/research/agent-threats-openclaw-mcp-stdio-server-env-could-load-dangerous-startup-2026-04","title":"OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config","summary":"## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nWorkspace MCP stdio configuration could pass dangerous proces","content_text":"# OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config\n\n_AI Threats — being enriched by Lyrie Threat Intelligence._","date_published":"2026-04-27T23:18:48.196Z","date_modified":"2026-04-27T23:18:48.196Z","tags":["agent-threats","ghsa-mj59-h3q9-ghfh"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/agent-threats-openclaw-agent-gateway-config-mutations-could-change-protec-2026-0","url":"https://research.lyrie.ai/research/agent-threats-openclaw-agent-gateway-config-mutations-could-change-protec-2026-0","title":"OpenClaw: Agent gateway config mutations could change protected operator settings","summary":"OpenClaw < 2026.4.20 let agent-facing config.patch/apply change operator‑trusted settings; fixed in 2026.4.20. Model-to-operator guard bypass, medium.","content_text":"## What happened\n\nOpenClaw’s agent-facing gateway operations `gateway config.patch` and `config.apply` failed to fully guard operator‑trusted fields prior to version 2026.4.20, enabling a model to persist sensitive configuration changes outside its intended scope [GitHub Advisory](https://github.com/advisories/GHSA-7jm2-g593-4qrc). The vulnerable range is all `openclaw` npm releases `< 2026.4.20`, with fixes shipped in `2026.4.20` [GHSA-7jm2-g593-4qrc](https://github.com/advisories/GHSA-7jm2-g593-4qrc). The issue is explicitly a model‑to‑operator guard bypass, not a remote unauthenticated gateway compromise, and is rated medium severity [advisory summary](https://github.com/advisories/GHSA-7jm2-g593-4qrc).\n\nA prompt‑injected model with access to the owner‑only gateway tool could change guarded settings via these config mutation flows, persisting changes that should have required operator control [OpenClaw advisory](https://github.com/advisories/GHSA-7jm2-g593-4qrc). The fix extends the block on model‑driven config mutations to a broader set of trusted paths and correctly handles per‑agent overrides and array‑entry patching [fix noted](https://github.com/advisories/GHSA-7jm2-g593-4qrc). The remediation shipped in commit `fe30b31a97a917ecc6e92f6c85378b6b20352422` as part of the `2026.4.20` release [fix commit in advisory](https://github.com/advisories/GHSA-7jm2-g593-4qrc).\n\n## Why it matters\n\nThe guard gap covered operator‑trusted knobs that define the security posture of the gateway and its connected agents, allowing a compromised or coerced model to degrade protections without operator review [GHSA](https://github.com/advisories/GHSA-7jm2-g593-4qrc). Exposed settings included:\n\n- Sandbox policy, which constrains agent execution [advisory](https://github.com/advisories/GHSA-7jm2-g593-4qrc)\n- Plugin enablement, which gates capability expansion [advisory](https://github.com/advisories/GHSA-7jm2-g593-4qrc)\n- Gateway auth/TLS, foundational for channel integrity [advisory","date_published":"2026-04-27T23:18:48.195Z","date_modified":"2026-04-27T23:18:48.195Z","tags":["agent-threats","ghsa-7jm2-g593-4qrc","openclaw","GHSA-7jm2-g593-4qrc","npm","config-guard-bypass"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/agent-threats-litellm-authenticated-command-execution-via-mcp-stdio-test-2026-04","url":"https://research.lyrie.ai/research/agent-threats-litellm-authenticated-command-execution-via-mcp-stdio-test-2026-04","title":"LiteLLM: Authenticated command execution via MCP stdio test endpoints","summary":"LiteLLM’s MCP test endpoints let any authenticated key spawn commands via stdio configs; fixed by enforcing admin role.","content_text":"## What happened\n\nTwo LiteLLM MCP “preview” endpoints — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full MCP server config in the body, including stdio transport fields `command`, `args`, and `env`; when invoked with stdio settings, the proxy attempted a connection that spawned the supplied command as a subprocess on the proxy host with the proxy’s privileges ([GitHub Advisory GHSA-v4p8-mg3p-g94g](https://github.com/advisories/GHSA-v4p8-mg3p-g94g)).\n\nThese test endpoints were protected only by a valid proxy API key, with no role check; any authenticated user — including holders of low‑privilege internal‑user keys — could execute arbitrary commands on the host ([GHSA-v4p8-mg3p-g94g advisory](https://github.com/advisories/GHSA-v4p8-mg3p-g94g)).\n\nThe issue is fixed in LiteLLM version 1.83.7; both test endpoints now require the PROXY_ADMIN role, aligning them with the save endpoint’s authorization behavior ([patch note in GHSA](https://github.com/advisories/GHSA-v4p8-mg3p-g94g)).\n\nIf you cannot upgrade immediately, block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at your reverse proxy or API gateway as a workaround ([workarounds per GHSA](https://github.com/advisories/GHSA-v4p8-mg3p-g94g)).\n\n## Why it matters\n\nThis is an authenticated command execution path embedded in an agent-integration preview flow. Any compromised or misused low-privilege proxy key could be leveraged to spawn attacker‑controlled processes on the proxy host, running with the proxy process’s effective privileges ([LiteLLM advisory](https://github.com/advisories/GHSA-v4p8-mg3p-g94g)).\n\nIn stacks where AI agents rely on MCP servers bridged through a proxy, a “test connection” call becomes a host‑level execution primitive when stdio is accepted verbatim — a sharp deviation from the principle of least privilege. Enforcing an admin‑only role on these endpoints closes that gap, but environments that lag upgrades remain exposed to authenticated abuse","date_published":"2026-04-27T23:18:48.194Z","date_modified":"2026-04-27T23:18:48.194Z","tags":["agent-threats","ghsa-v4p8-mg3p-g94g","LiteLLM","MCP stdio","Authenticated command execution","GHSA-v4p8-mg3p-g94g","PROXY_ADMIN","1.83.7","Agent security","RCE"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/alleged-silk-typhoon-hacker-extradited-to-us","url":"https://research.lyrie.ai/research/alleged-silk-typhoon-hacker-extradited-to-us","title":"Alleged Silk Typhoon hacker extradited to US","summary":"Lawrence Abrams reports: A Chinese national accused of carrying out cyberespionage operations for China’s intelligence services has been extradited from Italy to the United States to face criminal charges. According to a DOJ announcement, Xu Zewei is alleged to be a contrac","content_text":"# Alleged Silk Typhoon hacker extradited to US\n\nSource: [DataBreaches.net](https://databreaches.net/2026/04/27/alleged-silk-typhoon-hacker-extradited-to-us/?pk_campaign=feed&pk_kwd=alleged-silk-typhoon-hacker-extradited-to-us) \nPublished: Mon, 27 Apr 2026 23:12:59 +0000\n\n## Summary\nLawrence Abrams reports: A Chinese national accused of carrying out cyberespionage operations for China’s intelligence services has been extradited from Italy to the United States to face criminal charges. According to a DOJ announcement, Xu Zewei is alleged to be a contract hacker for China’s Ministry of State Security (MSS) who conducted breaches between February...\nSource\n\n## Sources\n- [DataBreaches.net report](https://databreaches.net/2026/04/27/alleged-silk-typhoon-hacker-extradited-to-us/?pk_campaign=feed&pk_kwd=alleged-silk-typhoon-hacker-extradited-to-us)\n- [DataBreaches.net feed](https://databreaches.net/feed/)\n- [Lyrie threat desk](https://research.lyrie.ai/authors/lyrie-threat-intelligence)","date_published":"Mon, 27 Apr 2026 23:12:59 +0000","date_modified":"Mon, 27 Apr 2026 23:12:59 +0000","tags":["breach","databreaches-net"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/agent-threats-field-guide-2026-04-27","url":"https://research.lyrie.ai/research/agent-threats-field-guide-2026-04-27","title":"11 ways agents get hijacked in 2026 — a defender's field guide","summary":"A sourced taxonomy of 11 real-world agent exploitation classes — from prompt injection to poisoned weights — with named CVEs, papers, and Shield coverage.","content_text":"**Published:** April 27, 2026 \n**Author:** Lyrie Research (research.lyrie.ai) \n**Stream:** AI Threats — inaugural post\n\n---\n\n## TL;DR\n\nAgent security in 2026 is not a prompt-injection problem. It is an end-to-end operational security problem spanning tool calls, supply chains, memory stores, execution sandboxes, and inter-agent messaging — most of which your WAF cannot see. This post names eleven attack classes, each with a real incident or paper, concrete defender actions, and an honest account of what Lyrie Shield covers today. Read it before your next agent deployment, not after your first incident.\n\n---\n\n## Why this taxonomy now\n\nThe threat model shifted in 2024. Before that, \"LLM security\" meant jailbreaks and harmful outputs — a model-alignment problem, contained inside the inference boundary. Agents broke that boundary. A deployed agent has filesystem access, outbound HTTP, code execution, calendar write, email send, GitHub PR merge. Exploiting it no longer means getting it to say something bad; it means getting it to *do* something bad on an attacker's behalf while the operator watches a green dashboard.\n\nMost defenses shipped so far are retrofitted from the pre-agent era: input sanitization, output moderation, RBAC on the API key. These controls were designed for stateless request-response systems. Agents are stateful, tool-wielding, multi-step actors with a published research record of exploitation that is now 18 months old. Defenders still at \"we added a prompt injection filter\" are defending against 2022 threats with 2026 deployments.\n\n---\n\n## The taxonomy\n\n### 1. Direct prompt injection\n\n**Mechanism.** The user submits text that overrides or bypasses the system prompt — classically `Ignore previous instructions and...`, but practically through role assignments, token-budget pressure, or multi-turn context manipulation. Many-shot variants (sufficiently long distracting prefixes that cause models to forget earlier constraints) are documented in [Anthrop","date_published":"2026-04-27T22:30:00.000Z","date_modified":"2026-04-27T22:30:00.000Z","tags":["agent-security","prompt-injection","mcp","supply-chain","rag-poisoning","model-security","browser-agent","privilege-confusion","exfiltration"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/lyrie-original-shipping-velocity-2026-04-27","url":"https://research.lyrie.ai/research/lyrie-original-shipping-velocity-2026-04-27","title":"17 releases, 442 tests, 9 days: how we shipped a multi-channel, multi-backend pentest agent","summary":"Day 9 of the lyrie-agent repo: four PRs land covering a Python SDK, a 35-tool vetted catalog with NL-recommend, 7 new channel adapters, and pluggable Local/Daytona/Modal backends. 442 tests, 0 failures, 0 regressions.","content_text":"**Published:** April 27, 2026 \n**Author:** Lyrie Research (research.lyrie.ai) \n**Repo:** [github.com/overthetopseo/lyrie-agent](https://github.com/overthetopseo/lyrie-agent) \n**Tags v0.3.0 – v0.3.3 shipped:** April 27, 2026\n\n---\n\n## TL;DR\n\nOn April 27, 2026 — day 9 of the repo being public — we shipped four pull requests (PR #36 through PR #39) covering a Python SDK, a vetted tool catalog with NL-recommend, 7 new channel adapters, and a pluggable backend abstraction. End-of-day: 442 tests, 0 failures, 10 channels, 3 execution backends, one `pip install` away from scanning. The repo is at ~514 stars with no marketing spend.\n\n---\n\n## What shipped\n\n### PR #36 — Python SDK (v0.3.0 + sdk-py-v0.3.0)\n\n`pip install lyrie-agent` now works. PR #36 is a pure-Python port of every pentest primitive we had in TypeScript: Shield Doctrine enforcement, Attack-Surface Mapper, Stages A–F validator, Multi-Lang Scanners, an HTTP Proxy with capture/classify/replay/mutator pipeline, EditEngine, and a Threat-Intel client. Zero mandatory runtime dependencies — `httpx` is opt-in via the `lyrie-agent[http]` extra so you don't pull network libraries into environments that don't need them.\n\nWe validated across the full matrix: Python 3.10, 3.11, 3.12, and 3.13 on Ubuntu and macOS — 63 tests, all green, every combination. The SDK mirrors the TypeScript surface faithfully enough that a security engineer who reads the TypeScript tests can run the Python equivalents without relearning anything. That was the design constraint.\n\n### PR #37 — Tools Catalog + cross-CI (v0.3.1)\n\nPR #37 adds `packages/core/src/tools-catalog/` — 19 categories, 35 vetted tools. The UX drew inspiration from Z4nzu/hackingtool (66K stars) but every line of code is original, and the curation policy is ours: Nuclei, Amass, Subfinder, httpx, Katana, theHarvester, sqlmap, Nikto, ffuf, Feroxbuster, Gobuster, Dirsearch, ZAP, Arjun, DalFox, XSStrike, Gitleaks, TruffleHog, BloodHound, NetExec, Impacket, Kerbrute, Prowler, ScoutSui","date_published":"2026-04-27T21:47:01.761Z","date_modified":"2026-04-27T21:47:01.761Z","tags":["lyrie-original","engineering","release","architecture","open-source","pentest"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-7156-advisory","url":"https://research.lyrie.ai/research/cve-2026-7156-advisory","title":"CRITICAL: CVE-2026-7156 (CVSS 9.8) — multiple products","summary":"A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function CsteSystem of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument HTTP results in os command injection. The attack may be launched remotely. The exploit is now public and may be used.","content_text":"# CRITICAL: CVE-2026-7156 (CVSS 9.8) — multiple products\n\n**CVE:** CVE-2026-7156 \n**CVSS:** 9.8 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nA vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function CsteSystem of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument HTTP results in os command injection. The attack may be launched remotely. The exploit is now public and may be used.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-7156)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-7156)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-7156)\n\n## References\n- https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_320/README.md\n- https://vuldb.com/submit/801142\n- https://vuldb.com/vuln/359755\n- https://vuldb.com/vuln/359755/cti\n- https://www.totolink.net/\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-04-27T21:16:44.000","date_modified":"2026-04-27T21:16:44.000","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-7155-advisory","url":"https://research.lyrie.ai/research/cve-2026-7155-advisory","title":"CRITICAL: CVE-2026-7155 (CVSS 9.8) — multiple products","summary":"A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setLoginPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument admpass leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.","content_text":"# CRITICAL: CVE-2026-7155 (CVSS 9.8) — multiple products\n\n**CVE:** CVE-2026-7155 \n**CVSS:** 9.8 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nA security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setLoginPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument admpass leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-7155)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-7155)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-7155)\n\n## References\n- https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_319/README.md\n- https://vuldb.com/submit/801141\n- https://vuldb.com/vuln/359754\n- https://vuldb.com/vuln/359754/cti\n- https://www.totolink.net/\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-04-27T21:16:43.833","date_modified":"2026-04-27T21:16:43.833","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-7154-advisory","url":"https://research.lyrie.ai/research/cve-2026-7154-advisory","title":"CRITICAL: CVE-2026-7154 (CVSS 9.8) — multiple products","summary":"A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setAdvancedInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument tty_server can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.","content_text":"# CRITICAL: CVE-2026-7154 (CVSS 9.8) — multiple products\n\n**CVE:** CVE-2026-7154 \n**CVSS:** 9.8 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nA weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setAdvancedInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument tty_server can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-7154)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-7154)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-7154)\n\n## References\n- https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_318/README.md\n- https://vuldb.com/submit/801140\n- https://vuldb.com/vuln/359753\n- https://vuldb.com/vuln/359753/cti\n- https://www.totolink.net/\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-04-27T21:16:43.660","date_modified":"2026-04-27T21:16:43.660","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/supreme-court-signals-location-data-searches-should-require-a-warrant","url":"https://research.lyrie.ai/research/supreme-court-signals-location-data-searches-should-require-a-warrant","title":"Supreme Court signals location data searches should require a warrant","summary":"Privacy advocates had worried that the high court would rule that geofencing does not qualify as a constitutionally protected search, opening the door to much broader use of warrantless reverse searches of all types.","content_text":"# Supreme Court signals location data searches should require a warrant\n\nSource: [The Record](https://therecord.media/supreme-court-signals-location-data-searches-require-warrant) \nPublished: Mon, 27 Apr 2026 20:52:00 GMT\n\n## Summary\nPrivacy advocates had worried that the high court would rule that geofencing does not qualify as a constitutionally protected search, opening the door to much broader use of warrantless reverse searches of all types.\n\n## Sources\n- [The Record report](https://therecord.media/supreme-court-signals-location-data-searches-require-warrant)\n- [The Record feed](https://therecord.media/feed)\n- [Lyrie threat desk](https://research.lyrie.ai/authors/lyrie-threat-intelligence)","date_published":"Mon, 27 Apr 2026 20:52:00 GMT","date_modified":"Mon, 27 Apr 2026 20:52:00 GMT","tags":["breach","the-record"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-7152-advisory","url":"https://research.lyrie.ai/research/cve-2026-7152-advisory","title":"CRITICAL: CVE-2026-7152 (CVSS 9.8) — multiple products","summary":"A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument telnet_enabled leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.","content_text":"# CRITICAL: CVE-2026-7152 (CVSS 9.8) — multiple products\n\n**CVE:** CVE-2026-7152 \n**CVSS:** 9.8 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nA vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument telnet_enabled leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-7152)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-7152)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-7152)\n\n## References\n- https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_316/README.md\n- https://vuldb.com/submit/801138\n- https://vuldb.com/vuln/359751\n- https://vuldb.com/vuln/359751/cti\n- https://www.totolink.net/\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-04-27T20:16:29.063","date_modified":"2026-04-27T20:21:52.070","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-7153-advisory","url":"https://research.lyrie.ai/research/cve-2026-7153-advisory","title":"CRITICAL: CVE-2026-7153 (CVSS 9.8) — multiple products","summary":"A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setMiniuiHomeInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument sys_info results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.","content_text":"# CRITICAL: CVE-2026-7153 (CVSS 9.8) — multiple products\n\n**CVE:** CVE-2026-7153 \n**CVSS:** 9.8 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nA security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setMiniuiHomeInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument sys_info results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-7153)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-7153)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-7153)\n\n## References\n- https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_317/README.md\n- https://vuldb.com/submit/801139\n- https://vuldb.com/vuln/359752\n- https://vuldb.com/vuln/359752/cti\n- https://www.totolink.net/\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-04-27T20:16:29.230","date_modified":"2026-04-27T20:21:52.070","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2025-59557-advisory","url":"https://research.lyrie.ai/research/cve-2025-59557-advisory","title":"CRITICAL: CVE-2025-59557 (CVSS 9.3) — multiple products","summary":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThemeMove Learts Addons learts-addons allows SQL Injection.This issue affects Learts Addons: from n/a through < 1.7.5.","content_text":"# CRITICAL: CVE-2025-59557 (CVSS 9.3) — multiple products\n\n**CVE:** CVE-2025-59557 \n**CVSS:** 9.3 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThemeMove Learts Addons learts-addons allows SQL Injection.This issue affects Learts Addons: from n/a through < 1.7.5.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2025-59557)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2025-59557)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2025-59557)\n\n## References\n- https://patchstack.com/database/Wordpress/Plugin/learts-addons/vulnerability/wordpress-learts-addons-plugin-1-7-5-sql-injection-vulnerability?_s_id=cve\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2025-10-22T15:15:54.117","date_modified":"2026-04-27T20:16:24.090","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2025-59007-advisory","url":"https://research.lyrie.ai/research/cve-2025-59007-advisory","title":"CRITICAL: CVE-2025-59007 (CVSS 9.8) — multiple products","summary":"Deserialization of Untrusted Data vulnerability in themesflat TF Woo Product Grid Addon For Elementor tf-woo-product-grid allows Object Injection.This issue affects TF Woo Product Grid Addon For Elementor: from n/a through <= 1.0.1.","content_text":"# CRITICAL: CVE-2025-59007 (CVSS 9.8) — multiple products\n\n**CVE:** CVE-2025-59007 \n**CVSS:** 9.8 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nDeserialization of Untrusted Data vulnerability in themesflat TF Woo Product Grid Addon For Elementor tf-woo-product-grid allows Object Injection.This issue affects TF Woo Product Grid Addon For Elementor: from n/a through <= 1.0.1.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2025-59007)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2025-59007)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2025-59007)\n\n## References\n- https://patchstack.com/database/Wordpress/Plugin/tf-woo-product-grid/vulnerability/wordpress-tf-woo-product-grid-addon-for-elementor-plugin-1-0-1-deserialization-of-untrusted-data-vulnerability?_s_id=cve\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2025-10-22T15:15:53.730","date_modified":"2026-04-27T20:16:23.967","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2025-58963-advisory","url":"https://research.lyrie.ai/research/cve-2025-58963-advisory","title":"CRITICAL: CVE-2025-58963 (CVSS 10) — multiple products","summary":"Unrestricted Upload of File with Dangerous Type vulnerability in 7oroof Medcity medcity allows Upload a Web Shell to a Web Server.This issue affects Medcity: from n/a through < 1.1.9.","content_text":"# CRITICAL: CVE-2025-58963 (CVSS 10) — multiple products\n\n**CVE:** CVE-2025-58963 \n**CVSS:** 10 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nUnrestricted Upload of File with Dangerous Type vulnerability in 7oroof Medcity medcity allows Upload a Web Shell to a Web Server.This issue affects Medcity: from n/a through < 1.1.9.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2025-58963)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2025-58963)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2025-58963)\n\n## References\n- https://patchstack.com/database/Wordpress/Theme/medcity/vulnerability/wordpress-medcity-theme-1-1-9-arbitrary-file-upload-vulnerability?_s_id=cve\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2025-10-22T15:15:52.830","date_modified":"2026-04-27T20:16:22.830","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2025-58951-advisory","url":"https://research.lyrie.ai/research/cve-2025-58951-advisory","title":"CRITICAL: CVE-2025-58951 (CVSS 9.3) — multiple products","summary":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Advance Seat Reservation Management for WooCommerce scw-seat-reservation allows SQL Injection.This issue affects Advance Seat Reservation Management for WooCommerce: from n/a through <= 3.1.","content_text":"# CRITICAL: CVE-2025-58951 (CVSS 9.3) — multiple products\n\n**CVE:** CVE-2025-58951 \n**CVSS:** 9.3 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Advance Seat Reservation Management for WooCommerce scw-seat-reservation allows SQL Injection.This issue affects Advance Seat Reservation Management for WooCommerce: from n/a through <= 3.1.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2025-58951)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2025-58951)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2025-58951)\n\n## References\n- https://patchstack.com/database/Wordpress/Plugin/scw-seat-reservation/vulnerability/wordpress-advance-seat-reservation-management-for-woocommerce-plugin-3-1-sql-injection-vulnerability?_s_id=cve\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2025-12-18T08:16:03.030","date_modified":"2026-04-27T20:16:22.443","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2025-49931-advisory","url":"https://research.lyrie.ai/research/cve-2025-49931-advisory","title":"CRITICAL: CVE-2025-49931 (CVSS 9.3) — multiple products","summary":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetSearch jet-search allows Blind SQL Injection.This issue affects JetSearch: from n/a through <= 3.5.10.","content_text":"# CRITICAL: CVE-2025-49931 (CVSS 9.3) — multiple products\n\n**CVE:** CVE-2025-49931 \n**CVSS:** 9.3 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetSearch jet-search allows Blind SQL Injection.This issue affects JetSearch: from n/a through <= 3.5.10.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2025-49931)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2025-49931)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2025-49931)\n\n## References\n- https://patchstack.com/database/Wordpress/Plugin/jet-search/vulnerability/wordpress-jetsearch-plugin-3-5-10-sql-injection-vulnerability?_s_id=cve\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2025-10-22T15:15:39.227","date_modified":"2026-04-27T20:16:18.200","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2025-49915-advisory","url":"https://research.lyrie.ai/research/cve-2025-49915-advisory","title":"CRITICAL: CVE-2025-49915 (CVSS 9.3) — multiple products","summary":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows SQL Injection.This issue affects SMS Alert Order Notifications: from n/a through <= 3.8.5.","content_text":"# CRITICAL: CVE-2025-49915 (CVSS 9.3) — multiple products\n\n**CVE:** CVE-2025-49915 \n**CVSS:** 9.3 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows SQL Injection.This issue affects SMS Alert Order Notifications: from n/a through <= 3.8.5.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2025-49915)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2025-49915)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2025-49915)\n\n## References\n- https://patchstack.com/database/Wordpress/Plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-plugin-3-8-5-sql-injection-vulnerability?_s_id=cve\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2025-10-22T15:15:37.440","date_modified":"2026-04-27T20:16:16.757","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2025-49380-advisory","url":"https://research.lyrie.ai/research/cve-2025-49380-advisory","title":"CRITICAL: CVE-2025-49380 (CVSS 9.8) — multiple products","summary":"Deserialization of Untrusted Data vulnerability in wpinstinct WooCommerce Vehicle Parts Finder woo-vehicle-parts-finder allows Object Injection.This issue affects WooCommerce Vehicle Parts Finder: from n/a through <= 3.7.","content_text":"# CRITICAL: CVE-2025-49380 (CVSS 9.8) — multiple products\n\n**CVE:** CVE-2025-49380 \n**CVSS:** 9.8 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nDeserialization of Untrusted Data vulnerability in wpinstinct WooCommerce Vehicle Parts Finder woo-vehicle-parts-finder allows Object Injection.This issue affects WooCommerce Vehicle Parts Finder: from n/a through <= 3.7.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2025-49380)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2025-49380)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2025-49380)\n\n## References\n- https://patchstack.com/database/Wordpress/Plugin/woo-vehicle-parts-finder/vulnerability/wordpress-woocommerce-vehicle-parts-finder-plugin-3-7-php-object-injection-vulnerability?_s_id=cve\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2025-10-22T15:15:35.967","date_modified":"2026-04-27T20:16:14.687","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2025-49055-advisory","url":"https://research.lyrie.ai/research/cve-2025-49055-advisory","title":"CRITICAL: CVE-2025-49055 (CVSS 9.3) — multiple products","summary":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection.This issue affects WP Lead Capturing Pages: from n/a through <= 2.5.","content_text":"# CRITICAL: CVE-2025-49055 (CVSS 9.3) — multiple products\n\n**CVE:** CVE-2025-49055 \n**CVSS:** 9.3 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection.This issue affects WP Lead Capturing Pages: from n/a through <= 2.5.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2025-49055)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2025-49055)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2025-49055)\n\n## References\n- https://patchstack.com/database/Wordpress/Plugin/wp-lead-capture/vulnerability/wordpress-wp-lead-capturing-pages-plugin-2-5-sql-injection-vulnerability?_s_id=cve\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-01-22T17:15:55.903","date_modified":"2026-04-27T20:16:10.463","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2025-48089-advisory","url":"https://research.lyrie.ai/research/cve-2025-48089-advisory","title":"CRITICAL: CVE-2025-48089 (CVSS 9.3) — multiple products","summary":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rainbow-Themes Education WordPress Theme | HiStudy histudy allows SQL Injection.This issue affects Education WordPress Theme | HiStudy: from n/a through < 3.1.0.","content_text":"# CRITICAL: CVE-2025-48089 (CVSS 9.3) — multiple products\n\n**CVE:** CVE-2025-48089 \n**CVSS:** 9.3 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rainbow-Themes Education WordPress Theme | HiStudy histudy allows SQL Injection.This issue affects Education WordPress Theme | HiStudy: from n/a through < 3.1.0.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2025-48089)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2025-48089)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2025-48089)\n\n## References\n- https://patchstack.com/database/Wordpress/Theme/histudy/vulnerability/wordpress-education-wordpress-theme-histudy-theme-3-1-0-sql-injection-vulnerability?_s_id=cve\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2025-11-06T16:15:52.270","date_modified":"2026-04-27T20:16:06.917","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-40372-microsoft-asp-net-core","url":"https://research.lyrie.ai/research/cve-2026-40372-microsoft-asp-net-core","title":"CRITICAL: CVE-2026-40372 (CVSS 9.1) — microsoft asp.net core","summary":"Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.","content_text":"# CRITICAL: CVE-2026-40372 (CVSS 9.1) — microsoft asp.net core\n\n**CVE:** CVE-2026-40372 \n**CVSS:** 9.1 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n- microsoft asp.net core\n\n## Summary\nImproper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-40372)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-40372)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-40372)\n\n## References\n- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-04-21T20:16:59.133","date_modified":"2026-04-27T19:57:39.360","tags":["microsoft","critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/alleged-silk-typhoon-hacker-extradited-to-us-for-cyberespionage","url":"https://research.lyrie.ai/research/alleged-silk-typhoon-hacker-extradited-to-us-for-cyberespionage","title":"Alleged Silk Typhoon hacker extradited to US for cyberespionage","summary":"A Chinese national accused of carrying out cyberespionage operations for China's intelligence services has been extradited from Italy to the United States to face criminal charges. [...]","content_text":"# Alleged Silk Typhoon hacker extradited to US for cyberespionage\n\nSource: [BleepingComputer](https://www.bleepingcomputer.com/news/security/alleged-silk-typhoon-hacker-extradited-to-us-for-cyberespionage/) \nPublished: Mon, 27 Apr 2026 15:56:03 -0400\n\n## Summary\nA Chinese national accused of carrying out cyberespionage operations for China's intelligence services has been extradited from Italy to the United States to face criminal charges. [...]\n\n## Sources\n- [BleepingComputer report](https://www.bleepingcomputer.com/news/security/alleged-silk-typhoon-hacker-extradited-to-us-for-cyberespionage/)\n- [BleepingComputer feed](https://www.bleepingcomputer.com/feed/)\n- [Lyrie threat desk](https://research.lyrie.ai/authors/lyrie-threat-intelligence)","date_published":"Mon, 27 Apr 2026 15:56:03 -0400","date_modified":"Mon, 27 Apr 2026 15:56:03 -0400","tags":["breach","bleepingcomputer"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-5652-craftycontrol-crafty-controller","url":"https://research.lyrie.ai/research/cve-2026-5652-craftycontrol-crafty-controller","title":"CRITICAL: CVE-2026-5652 (CVSS 9) — craftycontrol crafty controller","summary":"An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.","content_text":"# CRITICAL: CVE-2026-5652 (CVSS 9) — craftycontrol crafty controller\n\n**CVE:** CVE-2026-5652 \n**CVSS:** 9 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n- craftycontrol crafty controller\n\n## Summary\nAn insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-5652)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-5652)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-5652)\n\n## References\n- https://gitlab.com/crafty-controller/crafty-4/-/work_items/705\n- https://gitlab.com/crafty-controller/crafty-4/-/work_items/705\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-04-21T17:16:57.793","date_modified":"2026-04-27T19:47:08.807","tags":["craftycontrol","critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-40351-fastgpt-fastgpt","url":"https://research.lyrie.ai/research/cve-2026-40351-fastgpt-fastgpt","title":"CRITICAL: CVE-2026-40351 (CVSS 9.8) — fastgpt fastgpt","summary":"FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g., {\"$ne\": \"\"}) as the password field. This NoSQL injection bypasses the password check, enabling login as any user including the root administrator. This issue has been fixed in version 4.14.9.5.","content_text":"# CRITICAL: CVE-2026-40351 (CVSS 9.8) — fastgpt fastgpt\n\n**CVE:** CVE-2026-40351 \n**CVSS:** 9.8 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n- fastgpt fastgpt\n\n## Summary\nFastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g., {\"$ne\": \"\"}) as the password field. This NoSQL injection bypasses the password check, enabling login as any user including the root administrator. This issue has been fixed in version 4.14.9.5.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-40351)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-40351)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-40351)\n\n## References\n- https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d\n- https://github.com/labring/FastGPT/releases/tag/v4.14.9.5\n- https://github.com/labring/FastGPT/security/advisories/GHSA-x8mx-2mr7-h9xg\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-04-17T22:16:32.793","date_modified":"2026-04-27T19:39:32.913","tags":["fastgpt","critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-40575-oauth2-proxy-project-oauth2-proxy","url":"https://research.lyrie.ai/research/cve-2026-40575-oauth2-proxy-project-oauth2-proxy","title":"CRITICAL: CVE-2026-40575 (CVSS 9.1) — oauth2 proxy project oauth2 proxy","summary":"OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is enabled and `--skip-auth-regex` or `--skip-auth-route` is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application. This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session. Impacted users are deployments that run oauth2-proxy with `--reverse-proxy` enabled and configure at least one `--skip-auth-regex` or `--skip-auth-route` rule. This issue is patched in `v7.15.2`. Some workarounds are available for those who cannot upgrade immediately. Strip any client-provided `X-Forwarded-Uri` header at the reverse proxy or load balancer level; explicitly overwrite `X-Forwarded-Uri` with the actual request URI before forwarding requests to OAuth2 Proxy; restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy; and/or remove or narrow `--skip-auth-regex` / `--skip-auth-route` rules where possible. For nginx-based deployments, ensure `X-Forwarded-Uri` is set by nginx and not passed through from the client.","content_text":"# CRITICAL: CVE-2026-40575 (CVSS 9.1) — oauth2 proxy project oauth2 proxy\n\n**CVE:** CVE-2026-40575 \n**CVSS:** 9.1 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n- oauth2 proxy project oauth2 proxy\n\n## Summary\nOAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is enabled and `--skip-auth-regex` or `--skip-auth-route` is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application. This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session. Impacted users are deployments that run oauth2-proxy with `--reverse-proxy` enabled and configure at least one `--skip-auth-regex` or `--skip-auth-route` rule. This issue is patched in `v7.15.2`. Some workarounds are available for those who cannot upgrade immediately. Strip any client-provided `X-Forwarded-Uri` header at the reverse proxy or load balancer level; explicitly overwrite `X-Forwarded-Uri` with the actual request URI before forwarding requests to OAuth2 Proxy; restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy; and/or remove or narrow `--skip-auth-regex` / `--skip-auth-route` rules where possible. For nginx-based deployments, ensure `X-Forwarded-Uri` is set by nginx and not passed through from the client.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-40575)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-40575)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-40575)\n\n## References\n- https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7x63-xv5r-3p2x\n\n---\n_Validated by the Lyrie Threat Intel","date_published":"2026-04-22T00:16:27.817","date_modified":"2026-04-27T19:29:10.667","tags":["oauth2","critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2025-44560-advisory","url":"https://research.lyrie.ai/research/cve-2025-44560-advisory","title":"CRITICAL: CVE-2025-44560 (CVSS 9.8) — multiple products","summary":"owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking.","content_text":"# CRITICAL: CVE-2025-44560 (CVSS 9.8) — multiple products\n\n**CVE:** CVE-2025-44560 \n**CVSS:** 9.8 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nowntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2025-44560)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2025-44560)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2025-44560)\n\n## References\n- https://gist.github.com/wenwenyuyu/517851c3fe38c4f97b2d1940597da2d3\n- https://github.com/owntone/owntone-server/issues/1873\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-04-10T15:16:22.743","date_modified":"2026-04-27T19:18:46.690","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2025-66956-advisory","url":"https://research.lyrie.ai/research/cve-2025-66956-advisory","title":"CRITICAL: CVE-2025-66956 (CVSS 9.9) — multiple products","summary":"Insecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote attackers to access and execute attachments via a computable URL.","content_text":"# CRITICAL: CVE-2025-66956 (CVSS 9.9) — multiple products\n\n**CVE:** CVE-2025-66956 \n**CVSS:** 9.9 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nInsecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote attackers to access and execute attachments via a computable URL.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2025-66956)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2025-66956)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2025-66956)\n\n## References\n- http://asseco.com\n- https://github.com/TheWoodenBench/CVE-2025-66956\n- https://live.asee.io/\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-03-11T21:16:13.037","date_modified":"2026-04-27T19:18:46.690","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2025-69902-advisory","url":"https://research.lyrie.ai/research/cve-2025-69902-advisory","title":"CRITICAL: CVE-2025-69902 (CVSS 9.8) — multiple products","summary":"A command injection vulnerability in the minimal_wrapper.py component of kubectl-mcp-server v1.2.0 allows attackers to execute arbitrary commands via injecting arbitrary shell metacharacters.","content_text":"# CRITICAL: CVE-2025-69902 (CVSS 9.8) — multiple products\n\n**CVE:** CVE-2025-69902 \n**CVSS:** 9.8 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nA command injection vulnerability in the minimal_wrapper.py component of kubectl-mcp-server v1.2.0 allows attackers to execute arbitrary commands via injecting arbitrary shell metacharacters.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2025-69902)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2025-69902)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2025-69902)\n\n## References\n- https://asec.ahnlab.com/ko/92922/\n- https://github.com/rohitg00/kubectl-mcp-server\n- https://github.com/rohitg00/kubectl-mcp-server/blob/main/kubectl_mcp_tool/minimal_wrapper.py\n- https://pypi.org/project/kubectl-mcp-tool\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-03-16T21:16:17.700","date_modified":"2026-04-27T19:18:46.690","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2025-70024-advisory","url":"https://research.lyrie.ai/research/cve-2025-70024-advisory","title":"CRITICAL: CVE-2025-70024 (CVSS 9.8) — multiple products","summary":"An issue pertaining to CWE-89: Improper Neutralization of Special Elements used in an SQL Command was discovered in benkeen generatedata 4.0.14.","content_text":"# CRITICAL: CVE-2025-70024 (CVSS 9.8) — multiple products\n\n**CVE:** CVE-2025-70024 \n**CVSS:** 9.8 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nAn issue pertaining to CWE-89: Improper Neutralization of Special Elements used in an SQL Command was discovered in benkeen generatedata 4.0.14.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2025-70024)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2025-70024)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2025-70024)\n\n## References\n- https://gist.github.com/zcxlighthouse/4983275f71824ff47b9bdca9de7cb36a\n- https://github.com/benkeen\n- https://github.com/benkeen/generatedata\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-03-11T21:16:13.213","date_modified":"2026-04-27T19:18:46.690","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2025-70041-advisory","url":"https://research.lyrie.ai/research/cve-2025-70041-advisory","title":"CRITICAL: CVE-2025-70041 (CVSS 9.8) — multiple products","summary":"An issue pertaining to CWE-259: Use of Hard-coded Password was discovered in oslabs-beta ThermaKube master.","content_text":"# CRITICAL: CVE-2025-70041 (CVSS 9.8) — multiple products\n\n**CVE:** CVE-2025-70041 \n**CVSS:** 9.8 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nAn issue pertaining to CWE-259: Use of Hard-coded Password was discovered in oslabs-beta ThermaKube master.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2025-70041)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2025-70041)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2025-70041)\n\n## References\n- https://gist.github.com/zcxlighthouse/cbd6fd6ca486460573e0611ee547f763\n- https://github.com/oslabs-beta\n- https://github.com/oslabs-beta/ThermaKube\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-03-11T21:16:13.330","date_modified":"2026-04-27T19:18:46.690","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-25818-advisory","url":"https://research.lyrie.ai/research/cve-2026-25818-advisory","title":"CRITICAL: CVE-2026-25818 (CVSS 9.1) — multiple products","summary":"HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have weak entropy for authentication cookies, allowing an attacker with a stolen session cookie to find the user password by brute-forcing an encryption parameter.","content_text":"# CRITICAL: CVE-2026-25818 (CVSS 9.1) — multiple products\n\n**CVE:** CVE-2026-25818 \n**CVSS:** 9.1 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nHMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have weak entropy for authentication cookies, allowing an attacker with a stolen session cookie to find the user password by brute-forcing an encryption parameter.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-25818)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-25818)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-25818)\n\n## References\n- https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2026-03-09-001---ewon-several-flexy-and-cosy--vulnerabilities.pdf?sfvrsn=f7c027b8_13\n- https://www.hms-networks.com/p/flexy20500-00ma-ewon-flexy-205\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-03-13T19:54:27.353","date_modified":"2026-04-27T19:18:46.690","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-25823-advisory","url":"https://research.lyrie.ai/research/cve-2026-25823-advisory","title":"CRITICAL: CVE-2026-25823 (CVSS 9.8) — multiple products","summary":"HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have a stack buffer overflow that leads to a Denial of Service, which can also be exploited to achieve Unauthenticated Remote Code Execution.","content_text":"# CRITICAL: CVE-2026-25823 (CVSS 9.8) — multiple products\n\n**CVE:** CVE-2026-25823 \n**CVSS:** 9.8 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nHMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have a stack buffer overflow that leads to a Denial of Service, which can also be exploited to achieve Unauthenticated Remote Code Execution.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-25823)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-25823)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-25823)\n\n## References\n- https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2026-03-09-001---ewon-several-flexy-and-cosy--vulnerabilities.pdf?sfvrsn=f7c027b8_13\n- https://www.hms-networks.com/p/flexy20500-00ma-ewon-flexy-205\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-03-13T19:54:27.790","date_modified":"2026-04-27T19:18:46.690","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]},{"id":"https://research.lyrie.ai/research/cve-2026-29861-advisory","url":"https://research.lyrie.ai/research/cve-2026-29861-advisory","title":"CRITICAL: CVE-2026-29861 (CVSS 9.8) — multiple products","summary":"PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php.","content_text":"# CRITICAL: CVE-2026-29861 (CVSS 9.8) — multiple products\n\n**CVE:** CVE-2026-29861 \n**CVSS:** 9.8 (3.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` \n**Severity:** CRITICAL \n**Status:** Critical advisory\n\n## Affected\n_See vendor advisory_\n\n## Summary\nPHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php.\n\n## Verified Sources\n- [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2026-29861)\n- [GitHub Advisory](https://github.com/advisories?query=CVE-2026-29861)\n- [MITRE](https://cveawg.mitre.org/api/cve/CVE-2026-29861)\n\n## References\n- https://github.com/amanyadav78/CVE-2026-29861\n\n---\n_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._","date_published":"2026-04-10T15:16:23.477","date_modified":"2026-04-27T19:18:46.690","tags":["critical"],"authors":[{"name":"Lyrie Threat Intelligence"}]}]}