Xentrika Blog

Security insights, straight from the field.

Practical knowledge on penetration testing, cybersecurity, and digital defense from the Xentrika team.

Latest

CVE-2026-48908: Joomla's Page Builder Handed Attackers the Keys, No Knock Required

Published June 26, 2026

A missing access check in SP Page Builder's icon-upload endpoint gave unauthenticated attackers direct RCE on every Joomla site running the extension. CVSS 10.0, actively exploited, patch available.

CVE-2026-36537: ThingsBoard OAuth Login Lets Attackers Become Any User

Published June 19, 2026

A CVSS 9.8 authentication bypass in ThingsBoard's Apple OAuth 2.0 flow lets a remote attacker impersonate an existing user and take over the account. A public PoC exists, while active exploitation has not been reported.

CVE-2026-20253: Splunk's PostgreSQL Sidecar Hands Out Shells. No Credentials Required

Published June 18, 2026

A CVSS 9.8 pre-authentication RCE in Splunk Enterprise's PostgreSQL sidecar service lets any network-reachable attacker chain file-write primitives into full code execution, with active exploitation reported within five days of disclosure.

CVE-2026-10520: Ivanti Sentry's Internal Config API Was Open to the Whole Internet

Published June 11, 2026

A perfect 10.0 pre-authenticated OS command injection in Ivanti Sentry lets any unauthenticated attacker execute arbitrary commands as root. Public PoC released June 10, 2026. Patch immediately.

CVE-2026-32625: LibreChat MCP Server Leaks Your Entire Secret Vault to Any Logged-In User

Published June 7, 2026

A critical (CVSS 9.6) information-disclosure flaw in LibreChat lets any authenticated user exfiltrate JWT signing keys, AES encryption keys, and database credentials by injecting environment-variable placeholders into a malicious MCP server URL. Patched in v0.8.4-rc1.

CVE-2026-0073: Zero-Click RCE in Android's Wireless ADB Authentication

Published May 9, 2026

A logic error in Android's ADB daemon lets an adjacent-network attacker bypass mutual TLS authentication and open a remote shell on any unpatched Android 14–16 device, no user interaction required.

CVE-2026-23918: Apache HTTP/2 Double-Free Enables DoS and Remote Code Execution

Published May 9, 2026

A double-free vulnerability in Apache HTTP Server 2.4.66's mod_http2 module (CVSS 8.8) allows unauthenticated attackers to crash worker processes with just two HTTP/2 frames, and escalate to full RCE.

CVE-2026-0300: The PAN-OS Buffer Overflow Handing Attackers Root on Your Firewall

Published May 8, 2026

A critical unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal is being actively exploited in the wild. CVSS 4.0 score of 9.3. Here's what you need to know.

CVE-2026-41940: How a Missing Sanitizer Call Unlocked 1.5 Million cPanel Servers

Published May 2, 2026

A look at the critical cPanel & WHM authentication bypass. What happened, who was affected, and what you need to do right now.

CVE-2026-31431 (CopyFail): The Linux Bug That Turns 4 Bytes Into Root

Published May 1, 2026

A logic flaw in the Linux kernel's cryptographic subsystem has been hiding since 2017, and it hands root access to any unprivileged user in 732 bytes of Python.

See more posts