5 posts
A CVSS 9.8 pre-authentication RCE in Splunk Enterprise's PostgreSQL sidecar service lets any network-reachable attacker chain file-write primitives into full code execution, with active exploitation reported within five days of disclosure.
A perfect 10.0 pre-authenticated OS command injection in Ivanti Sentry lets any unauthenticated attacker execute arbitrary commands as root. Public PoC released June 10, 2026. Patch immediately.
A logic error in Android's ADB daemon lets an adjacent-network attacker bypass mutual TLS authentication and open a remote shell on any unpatched Android 14–16 device, no user interaction required.
A double-free vulnerability in Apache HTTP Server 2.4.66's mod_http2 module (CVSS 8.8) allows unauthenticated attackers to crash worker processes with just two HTTP/2 frames, and escalate to full RCE.
A critical unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal is being actively exploited in the wild. CVSS 4.0 score of 9.3. Here's what you need to know.