Archive

Explore all published articles.

13 posts

CVE-2026-48908: Joomla's Page Builder Handed Attackers the Keys, No Knock Required

Published June 26, 2026

A missing access check in SP Page Builder's icon-upload endpoint gave unauthenticated attackers direct RCE on every Joomla site running the extension. CVSS 10.0, actively exploited, patch available.

CVE-2026-36537: ThingsBoard OAuth Login Lets Attackers Become Any User

Published June 19, 2026

A CVSS 9.8 authentication bypass in ThingsBoard's Apple OAuth 2.0 flow lets a remote attacker impersonate an existing user and take over the account. A public PoC exists, while active exploitation has not been reported.

CVE-2026-20253: Splunk's PostgreSQL Sidecar Hands Out Shells. No Credentials Required

Published June 18, 2026

A CVSS 9.8 pre-authentication RCE in Splunk Enterprise's PostgreSQL sidecar service lets any network-reachable attacker chain file-write primitives into full code execution, with active exploitation reported within five days of disclosure.

CVE-2026-10520: Ivanti Sentry's Internal Config API Was Open to the Whole Internet

Published June 11, 2026

A perfect 10.0 pre-authenticated OS command injection in Ivanti Sentry lets any unauthenticated attacker execute arbitrary commands as root. Public PoC released June 10, 2026. Patch immediately.

CVE-2026-32625: LibreChat MCP Server Leaks Your Entire Secret Vault to Any Logged-In User

Published June 7, 2026

A critical (CVSS 9.6) information-disclosure flaw in LibreChat lets any authenticated user exfiltrate JWT signing keys, AES encryption keys, and database credentials by injecting environment-variable placeholders into a malicious MCP server URL. Patched in v0.8.4-rc1.

CVE-2026-0073: Zero-Click RCE in Android's Wireless ADB Authentication

Published May 9, 2026

A logic error in Android's ADB daemon lets an adjacent-network attacker bypass mutual TLS authentication and open a remote shell on any unpatched Android 14–16 device, no user interaction required.

CVE-2026-23918: Apache HTTP/2 Double-Free Enables DoS and Remote Code Execution

Published May 9, 2026

A double-free vulnerability in Apache HTTP Server 2.4.66's mod_http2 module (CVSS 8.8) allows unauthenticated attackers to crash worker processes with just two HTTP/2 frames, and escalate to full RCE.

CVE-2026-0300: The PAN-OS Buffer Overflow Handing Attackers Root on Your Firewall

Published May 8, 2026

A critical unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal is being actively exploited in the wild. CVSS 4.0 score of 9.3. Here's what you need to know.

CVE-2026-41940: How a Missing Sanitizer Call Unlocked 1.5 Million cPanel Servers

Published May 2, 2026

A look at the critical cPanel & WHM authentication bypass. What happened, who was affected, and what you need to do right now.

CVE-2026-31431 (CopyFail): The Linux Bug That Turns 4 Bytes Into Root

Published May 1, 2026

A logic flaw in the Linux kernel's cryptographic subsystem has been hiding since 2017, and it hands root access to any unprivileged user in 732 bytes of Python.

Welcome to the Xentrika Blog

Published March 11, 2026

An introduction to the Xentrika blog where we share insights on cybersecurity, penetration testing, and digital security.

Understanding Penetration Testing - A Practical Overview

Published March 10, 2026

A clear breakdown of what penetration testing is, the phases involved, and why every organization should treat it as a core part of their security strategy.

Common Web Application Vulnerabilities and How to Find Them

Published March 8, 2026

A practical guide to the most frequently exploited web application vulnerabilities, including how attackers discover them and the steps developers can take to prevent them.