Forem: CVE Reports

CVE-2026-39857: CVE-2026-39857: Information Disclosure via Authorization Bypass in ApostropheCMS REST API

CVE Reports — Thu, 16 Apr 2026 21:10:20 +0000

CVE-2026-39857: Information Disclosure via Authorization Bypass in ApostropheCMS REST API

Vulnerability ID: CVE-2026-39857
CVSS Score: 5.3
Published: 2026-04-16

ApostropheCMS versions 4.28.0 and prior contain an authorization bypass vulnerability in the REST API's 'choices' and 'counts' query builders. These parameters execute MongoDB aggregation operations that bypass configured public API projections, permitting unauthenticated attackers to extract distinct values for restricted schema fields.

TL;DR

Unauthenticated attackers can bypass API projections in ApostropheCMS <= 4.28.0 using the 'choices' and 'counts' parameters to exfiltrate restricted field data.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-863
Attack Vector: Network
CVSS v3.1: 5.3
EPSS Score: 0.00037
Impact: Confidentiality (Low)
Exploitation Status: PoC Available
CISA KEV: No

Affected Systems

ApostropheCMS <= 4.28.0
Node.js Applications using ApostropheCMS
ApostropheCMS: <= 4.28.0 (Fixed in: 4.29.0)

Code Analysis

Commit: 6c2b548

Fix: Apply projection and viewPermission checks to distinct() queries for choices and counts endpoints

Exploit Details

GitHub Advisory: PoC exists within the official fix commit test cases.

Mitigation Strategies

Upgrade application core components to the latest stable release.
Implement strict Web Application Firewall (WAF) rules to filter specific query parameters.
Audit public API endpoint projections and explicit field exclusion configurations.

Remediation Steps:

Verify current ApostropheCMS version via package.json.
Execute package manager update to install ApostropheCMS >= 4.29.0.
Review and test piece and page type schemas for correct publicApiProjection syntax.
Deploy WAF rules blocking 'choices' and 'counts' parameters on REST endpoints if patching is delayed.

References

Read the full report for CVE-2026-39857 on our website for more details including interactive diagrams and full exploit analysis.

CVE-2026-33824: CVE-2026-33824: Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability

CVE Reports — Thu, 16 Apr 2026 15:20:20 +0000

CVE-2026-33824: Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability

Vulnerability ID: CVE-2026-33824
CVSS Score: 9.8
Published: 2026-04-14

A double-free vulnerability in the Windows IKE Extension service allows unauthenticated remote attackers to achieve arbitrary code execution with SYSTEM privileges by sending malformed IKEv2 payloads.

TL;DR

CVE-2026-33824 (BlueHammer) is an actively exploited, zero-click remote code execution vulnerability in the Windows IKE service (IKEEXT). It leverages a double-free condition during SA_INIT packet parsing to bypass mitigations and execute arbitrary code as SYSTEM.

⚠️ Exploit Status: ACTIVE

Technical Details

CWE ID: CWE-415
Attack Vector: Network (UDP 500/4500)
CVSS Score: 9.8
EPSS Score: 0.00067
Impact: Unauthenticated RCE as SYSTEM
Exploit Status: Active Exploitation

Affected Systems

Windows 11 (22H2, 23H2, 24H2, 25H2, 26H1)
Windows 10 (1607, 1809, 21H2, 22H2)
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows Server 2025
Windows 11: 22H2, 23H2, 24H2, 25H2, 26H1 (Fixed in: 10.0.22631.6936+)
Windows 10: 1607, 1809, 21H2, 22H2 (Fixed in: 10.0.14393.9060+)
Windows Server: 2016, 2019, 2022, 2025 (Fixed in: April 2026 Cumulative Update)

Exploit Details

GitHub: Mirror of the original BlueHammer PoC and exploitation analysis.

Mitigation Strategies

Apply Microsoft April 2026 Cumulative Updates to all affected Windows endpoints and servers.
Disable the 'IKE and AuthIP IPsec Keying Modules' (IKEEXT) service if IPsec or VPN functionality is not required.
Implement network perimeter filtering to block inbound UDP port 500 and 4500 traffic unless strictly required for known VPN endpoints.

Remediation Steps:

Inventory all public-facing Windows Server assets to identify active IKE/IPsec services.
Deploy the April 2026 security patches targeting the specific Windows builds (e.g., 10.0.22631.6936+ for Windows 11).
Reboot affected servers to ensure the patched IKEEXT.dll is loaded into memory.
Verify the update installation via Windows Update logs or configuration management tooling.
Review network telemetry on UDP 500/4500 for the weeks preceding the patch deployment to identify potential zero-day compromise.

References

Read the full report for CVE-2026-33824 on our website for more details including interactive diagrams and full exploit analysis.

GHSA-33R3-4WHC-44C2: GHSA-33R3-4WHC-44C2: Path Traversal and Arbitrary File Write in vite-plus/binding

CVE Reports — Thu, 16 Apr 2026 13:40:21 +0000

GHSA-33R3-4WHC-44C2: Path Traversal and Arbitrary File Write in vite-plus/binding

Vulnerability ID: GHSA-33R3-4WHC-44C2
CVSS Score: 8.6
Published: 2026-04-16

A path traversal vulnerability exists in the vite-plus/binding component of the vite-plus npm package prior to version 0.1.17. The downloadPackageManager() function fails to validate the version parameter, allowing programmatic attackers to escape the VP_HOME directory, overwrite arbitrary directories, and write executable shims to unintended filesystem locations.

TL;DR

The downloadPackageManager() function in vite-plus/binding (< 0.1.17) is vulnerable to a path traversal attack via unvalidated version strings. This allows arbitrary file writes and directory manipulation outside the designated VP_HOME directory.

⚠️ Exploit Status: POC

Technical Details

Vulnerability ID: GHSA-33R3-4WHC-44C2
CWE ID: CWE-22
CVSS v4.0 Score: 8.6
Attack Vector: Local
Impact: High Integrity, High Availability
Exploit Status: PoC Available
Affected Component: vite-plus/binding

Affected Systems

vite-plus npm package (< 0.1.17)
vite-plus: >= 0, < 0.1.17 (Fixed in: 0.1.17)

Mitigation Strategies

Upgrade vite-plus to version 0.1.17 or later.
Implement strict semver validation for all version strings before passing them to vite-plus/binding APIs.
Restrict the filesystem permissions of the Node.js process to limit the impact of successful arbitrary file writes.
Monitor internal dependencies and programmatic API calls for unvalidated user input.

Remediation Steps:

Audit the codebase for programmatic usage of vite-plus/binding's downloadPackageManager().
Update package.json to require vite-plus >= 0.1.17.
Run npm install or pnpm install to update the dependency tree.
If programmatic calls exist, implement pre-validation using the semver package (semver.valid(version)).
Deploy the updated application to production environments.

References

Read the full report for GHSA-33R3-4WHC-44C2 on our website for more details including interactive diagrams and full exploit analysis.

CVE-2026-33805: CVE-2026-33805: Connection Header Abuse in @fastify/reply-from and @fastify/http-proxy

CVE Reports — Thu, 16 Apr 2026 11:40:20 +0000

CVE-2026-33805: Connection Header Abuse in @fastify/reply-from and @fastify/http-proxy

Vulnerability ID: CVE-2026-33805
CVSS Score: 9.0
Published: 2026-04-16

A logic flaw in the header processing pipeline of @fastify/reply-from and @fastify/http-proxy allows unauthenticated remote attackers to bypass access controls or subvert routing. By manipulating the HTTP Connection header, clients can force the proxy to remove security-critical headers injected by the developer via the rewriteRequestHeaders hook.

TL;DR

A vulnerability in Fastify proxy plugins allows clients to strip proxy-injected security headers by exploiting the RFC 7230 hop-by-hop stripping mechanism, leading to authentication bypasses and header spoofing.

⚠️ Exploit Status: POC

Technical Details

CVSS Score: 9.0 (Critical)
Attack Vector: Network
CWE ID: CWE-644
Exploit Status: PoC Available
EPSS Score: 0.00042 (12.75%)
Authentication: None Required

Affected Systems

@fastify/reply-from
@fastify/http-proxy
Node.js API Gateways
Fastify Edge Proxies
@fastify/reply-from: <= 12.6.1 (Fixed in: 12.6.2)
@fastify/http-proxy: <= 11.4.3 (Fixed in: 11.4.4)

Code Analysis

Commit: c815dc4

Moves Connection header stripping logic before rewriteRequestHeaders invocation to prevent client-controlled deletion of proxy metadata.

Exploit Details

Provided PoC: Proof of concept script demonstrating stripping of proxy-injected headers using the Connection header.

Mitigation Strategies

Upgrade Fastify proxy plugins to their patched versions.
Implement WAF rules to reject HTTP requests containing unexpected tokens in the Connection header.
Ensure upstream services enforce strict validation of incoming headers and implement default-deny fallback logic.

Remediation Steps:

Identify all projects utilizing @fastify/reply-from or @fastify/http-proxy via dependency auditing.
Update @fastify/reply-from to >= 12.6.2 using package managers (e.g., npm install @fastify/reply-from@12.6.2).
Update @fastify/http-proxy to >= 11.4.4 using package managers.
Rebuild and redeploy edge proxy applications.
Verify the fix by executing requests with manipulated Connection headers and confirming proxy-added headers persist.

References

Read the full report for CVE-2026-33805 on our website for more details including interactive diagrams and full exploit analysis.

CVE-2026-33807: CVE-2026-33807: Middleware Bypass via Path Interpretation Conflict in @fastify/express

CVE Reports — Thu, 16 Apr 2026 11:10:20 +0000

CVE-2026-33807: Middleware Bypass via Path Interpretation Conflict in @fastify/express

Vulnerability ID: CVE-2026-33807
CVSS Score: 9.1
Published: 2026-04-16

A critical vulnerability exists in @fastify/express versions 4.0.4 and earlier where an interpretation conflict causes middleware paths to be incorrectly calculated during plugin inheritance. This flaw allows unauthenticated remote attackers to bypass security middleware, such as authentication and authorization controls, on specific routes defined within child plugin scopes.

TL;DR

@fastify/express <= 4.0.4 incorrectly doubles path prefixes during child plugin registration, bypassing security middleware on encapsulated child routes.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-436
Attack Vector: Network
CVSS Base Score: 9.1 (Critical)
EPSS Score: 0.00052
Exploit Status: Proof-of-Concept Available
KEV Status: Not Listed

Affected Systems

Node.js applications utilizing Fastify with the @fastify/express compatibility plugin
@fastify/express: <= 4.0.4 (Fixed in: 4.0.5)

Code Analysis

Commit: c4e49b5

Fix path doubling via instance.express.use

Commit: 674020f

Introduce normalizeUrl for request path consistency

Exploit Details

Security Advisory: Proof of concept code demonstrating the middleware bypass in child scopes.

Mitigation Strategies

Upgrade @fastify/express to version 4.0.5 or later
Migrate security-critical Express middleware to Fastify-native lifecycle hooks
Avoid nested prefix overlaps when utilizing legacy Express middleware

Remediation Steps:

Audit project dependencies for @fastify/express versions <= 4.0.4.
Update package.json to require @fastify/express ^4.0.5.
Run npm install or yarn install to update lockfiles.
Execute integration tests against protected routes to verify middleware enforcement.

References

Read the full report for CVE-2026-33807 on our website for more details including interactive diagrams and full exploit analysis.

CVE-2026-40175: CVE-2026-40175: Header Injection in Axios via Prototype Pollution Gadget

CVE Reports — Thu, 16 Apr 2026 10:50:20 +0000

CVE-2026-40175: Header Injection in Axios via Prototype Pollution Gadget

Vulnerability ID: CVE-2026-40175
CVSS Score: 10.0
Published: 2026-04-10

CVE-2026-40175 is a critical Header Injection vulnerability in the Axios HTTP client library. It functions as an exploitation gadget in Prototype Pollution attack chains, enabling HTTP request smuggling and splitting. This flaw allows attackers to bypass SSRF mitigations and achieve full cloud compromise via internal service interactions.

TL;DR

Axios configuration merging insecurely inherits from Object.prototype and fails to validate internal CRLF characters. Attackers use prototype pollution to inject malicious headers, smuggling secondary HTTP requests to internal endpoints like AWS IMDSv2.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-113 (Improper Neutralization of CRLF Sequences)
Attack Vector: Network
CVSS: 10.0 (Critical)
EPSS: 0.40%
Impact: SSRF Bypass / Remote Code Execution / Cloud Compromise
Exploit Status: Proof of Concept Available
KEV Status: Not Listed

Affected Systems

Node.js Applications
Cloud Infrastructure (AWS EC2 instances via IMDSv2 targeting)
axios: >= 1.0.0, < 1.15.0 (Fixed in: 1.15.0)
axios: < 0.31.0 (Fixed in: 0.31.0)

Code Analysis

Commit: 3631854

Fix for header injection via prototype pollution on 1.x branch

Commit: 03cdfc9

Backport header sanitization to legacy 0.x branch

Exploit Details

GitHub (0xBlackash): Proof of Concept repository demonstrating chained attack
GitHub (kengzzzz): Exploit methodology and test harness

Mitigation Strategies

Upgrade Axios to version 1.15.0 or 0.31.0.
Identify and patch Prototype Pollution sources in dependency trees.
Implement application-level runtime protections like Object.freeze(Object.prototype).
Deploy WAF rules to block unusual structural inputs indicating CRLF injection attempts.

Remediation Steps:

Audit application dependencies using npm audit or Snyk to locate outdated versions of Axios.
Update package.json to require Axios >= 1.15.0 (or >= 0.31.0 for 0.x branches).
Execute dependency updates and verify the lockfile reflects the patched version.
Run unit and integration tests to ensure strict header validation does not disrupt legitimate application functionality.
Audit the dependency tree for known prototype pollution vulnerabilities in libraries like lodash, qs, or picomatch.

References

Read the full report for CVE-2026-40175 on our website for more details including interactive diagrams and full exploit analysis.

CVE-2026-33808: CVE-2026-33808: Authentication Bypass via Path Normalization Drift in @fastify/express

CVE Reports — Thu, 16 Apr 2026 10:40:20 +0000

CVE-2026-33808: Authentication Bypass via Path Normalization Drift in @fastify/express

Vulnerability ID: CVE-2026-33808
CVSS Score: 9.1
Published: 2026-04-16

An interpretation conflict (CWE-436) in @fastify/express up to version 4.0.4 allows unauthenticated attackers to bypass path-scoped middleware. By exploiting normalization drift between the Fastify router and the Express middleware engine using duplicate slashes or semicolon delimiters, attackers can access protected endpoints.

TL;DR

Unauthenticated attackers can bypass Express middleware in @fastify/express <= 4.0.4 by exploiting URL parsing discrepancies between the Fastify router and Express middleware engine using duplicate slashes or semicolons.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-436
Attack Vector: Network
CVSS v4.0: 9.1
EPSS Score: 0.11%
Exploit Status: PoC Available
CISA KEV: Not Listed

Affected Systems

@fastify/express plugin in Node.js environments
@fastify/express: <= 4.0.4 (Fixed in: 4.0.5)

Code Analysis

Commit: 674020f

Fix path normalization divergence by aligning the middleware execution context with the Fastify instance URL normalization configuration.

Mitigation Strategies

Dependency Update
Manual Request Interception
WAF Rule Implementation

Remediation Steps:

Identify all projects utilizing @fastify/express via dependency audits (e.g., npm audit or yarn audit).
Update the @fastify/express package to version 4.0.5 or higher.
Verify the update by running integration tests against protected routes using duplicate slashes and semicolon delimiters.
If patching is delayed, implement a Fastify onRequest hook to sanitize req.raw.url manually.
Deploy WAF rules to reject HTTP requests containing multiple consecutive slashes or semicolons in the request URI.

References

Read the full report for CVE-2026-33808 on our website for more details including interactive diagrams and full exploit analysis.

GHSA-VP22-38M5-R39R: CVE-2026-33139: Arbitrary Code Execution via Sandbox Bypass in PySpector Plugin Validation

CVE Reports — Thu, 16 Apr 2026 10:10:21 +0000

CVE-2026-33139: Arbitrary Code Execution via Sandbox Bypass in PySpector Plugin Validation

Vulnerability ID: GHSA-VP22-38M5-R39R
CVSS Score: 7.8
Published: 2026-04-16

PySpector versions 0.1.6 and earlier contain a critical vulnerability in the plugin security validation system. An incomplete Abstract Syntax Tree (AST) analysis allows attackers to bypass the restrictive sandbox using indirect function calls. Successful exploitation leads to unauthenticated arbitrary code execution on the system running the static analysis scanner.

TL;DR

A fail-open logic flaw in PySpector's AST-based security scanner allows malicious plugins to execute arbitrary code. Attackers can bypass the blocked function list by wrapping dangerous API calls in dynamically resolved functions like getattr.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-184 / CWE-693
Attack Vector: Local (via malicious plugin)
CVSS v3.1: 7.8
EPSS Score: 0.00023
Impact: Arbitrary Code Execution
Exploit Status: Proof of Concept Available

Affected Systems

PySpector Plugin Validation Engine
PySpector: <= 0.1.6 (Fixed in: 0.1.7)

Code Analysis

Commit: 771301e

Fix AST validation logic to handle ast.Call nodes recursively and expand dangerous calls blocklist.

@@ -143,6 +143,8 @@ def validate_plugin_code(plugin_path: Path) -> tuple[bool, str]:
             "exec",
             "compile",
             "__import__",
+            "vars",
+            "getattr", 
             "os.system",
             "os.popen",
@@ -184,6 +186,10 @@ def resolve_name(node: ast.AST) -> Optional[str]:
                     attrs.append(base)
                     attrs.reverse()
                     return ".".join(attrs)
+            if isinstance(node, ast.Call):
+                inner = resolve_name(node.func)
+                if inner:
+                    return inner
             return None

Exploit Details

Security Researcher Write-up: Proof of concept demonstrating the use of getattr and vars to execute os.system commands, completely bypassing the AST plugin scanner.

Mitigation Strategies

Upgrade PySpector to version 0.1.7 or later.
Implement a manual source code review process for all custom plugins before using the --trust flag.
Execute SAST scanning pipelines in isolated, ephemeral sandbox environments to limit the blast radius of arbitrary code execution.

Remediation Steps:

Identify all environments and CI/CD pipelines utilizing PySpector.
Update the pyspector dependency to >=0.1.7 in requirements.txt or equivalent package managers.
Audit existing installed plugins for suspicious usage of getattr, vars, or direct os/subprocess calls.

References

Read the full report for GHSA-VP22-38M5-R39R on our website for more details including interactive diagrams and full exploit analysis.

CVE-2026-33825: CVE-2026-33825: Local Privilege Escalation via TOCTOU in Microsoft Defender Signature Updates (BlueHammer)

CVE Reports — Thu, 16 Apr 2026 10:10:20 +0000

CVE-2026-33825: Local Privilege Escalation via TOCTOU in Microsoft Defender Signature Updates (BlueHammer)

Vulnerability ID: CVE-2026-33825
CVSS Score: 7.8
Published: 2026-04-14

CVE-2026-33825, publicly referred to as BlueHammer, is a high-severity local privilege escalation vulnerability within the Microsoft Defender Antimalware Platform. The flaw stems from insufficient access control granularity and a Time-of-Check to Time-of-Use (TOCTOU) race condition during signature updates, enabling a standard user to obtain NT AUTHORITY\SYSTEM privileges.

TL;DR

A TOCTOU race condition in Microsoft Defender's signature update process allows local attackers to exploit filesystem junctions and RPC calls to elevate privileges to SYSTEM. The exploit, known as BlueHammer, facilitates arbitrary file operations and credential dumping.

⚠️ Exploit Status: WEAPONIZED

Technical Details

CWE ID: CWE-1220 (Insufficient Granularity of Access Control)
Attack Vector: Local (AV:L)
CVSS v3.1: 7.8 (High)
Impact: Local Privilege Escalation to SYSTEM
Exploit Status: Weaponized PoC Available
Affected Component: Microsoft Defender (MpSigStub.exe)

Affected Systems

Microsoft Defender Antimalware Platform
Microsoft Defender Antimalware Platform: 4.0.0.0 - < 4.18.26030.3011 (Fixed in: 4.18.26030.3011)

Exploit Details

GitHub: Original BlueHammer PoC by Nightmare-Eclipse
GitHub: Alternative PoC documentation and refined code by atroubledsnake

Mitigation Strategies

Update Microsoft Defender Antimalware Platform to version 4.18.26030.3011 or later.
Restrict user permissions for creating Object Manager symbolic links via Security Policy.
Monitor and routinely clear unauthorized filesystem junctions in user temporary directories.

Remediation Steps:

Verify the current Microsoft Defender Engine version using PowerShell.
Deploy the April 2026 Update (Patch Tuesday) via Windows Update or WSUS.
Validate the installation by checking the Engine Version property.

References

Read the full report for CVE-2026-33825 on our website for more details including interactive diagrams and full exploit analysis.

GHSA-RR7J-V2Q5-CHGV: GHSA-RR7J-V2Q5-CHGV: Streaming Token Redaction Bypass in LangSmith SDK

CVE Reports — Thu, 16 Apr 2026 08:40:20 +0000

GHSA-RR7J-V2Q5-CHGV: Streaming Token Redaction Bypass in LangSmith SDK

Vulnerability ID: GHSA-RR7J-V2Q5-CHGV
CVSS Score: 5.3
Published: 2026-04-16

The LangSmith SDK for both Python and JavaScript/TypeScript fails to apply output redaction controls to streaming token events. This oversight allows sensitive Large Language Model (LLM) outputs to bypass privacy configurations and transmit raw token data to the LangSmith backend, resulting in unintended data exposure.

TL;DR

A flaw in the LangSmith SDK's telemetry processing pipeline causes streaming token events to bypass hide_outputs redaction controls. Applications processing sensitive data via LLM streams transmit unredacted data to LangSmith servers despite active privacy settings.

Technical Details

Vulnerability ID: GHSA-RR7J-V2Q5-CHGV
CVSS Score: 5.3 (Medium)
Attack Vector: Network
CWE-ID: CWE-212
Exploit Status: None (No Public PoC)
KEV Status: Not Listed

Affected Systems

LangSmith SDK for Python
LangSmith SDK for JavaScript/TypeScript
langsmith (npm): < 0.5.19 (Fixed in: 0.5.19)
langsmith (PyPI): < 0.7.31 (Fixed in: 0.7.31)

Mitigation Strategies

Upgrade the LangSmith Python SDK via PyPI to a patched release.
Upgrade the LangSmith JavaScript/TypeScript SDK via npm to a patched release.
Disable streaming features on specific LLM chains that process high-sensitivity data if patching is delayed.
Audit existing LangSmith project logs and event traces for historical data leaks.

Remediation Steps:

Identify the current version of the LangSmith SDK using pip show langsmith or npm list langsmith.
Update the package.json or requirements.txt to specify langsmith >= 0.5.19 (JS) or langsmith >= 0.7.31 (Python).
Execute npm install or pip install --upgrade langsmith to apply the update.
Restart the application services to ensure the newly loaded SDK library handles subsequent traces.
Perform a test run with streaming enabled and verify the LangSmith events tab reflects redacted token entries.

References

Read the full report for GHSA-RR7J-V2Q5-CHGV on our website for more details including interactive diagrams and full exploit analysis.

CVE-2026-20147: CVE-2026-20147: Authenticated Remote Code Execution in Cisco Identity Services Engine (ISE)

CVE Reports — Thu, 16 Apr 2026 08:30:52 +0000

CVE-2026-20147: Authenticated Remote Code Execution in Cisco Identity Services Engine (ISE)

Vulnerability ID: CVE-2026-20147
CVSS Score: 9.9
Published: 2026-04-15

CVE-2026-20147 is a critical remote code execution vulnerability (CVSS 9.9) affecting Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). The flaw stems from improper neutralization of user-supplied input within the web management interface. Authenticated administrative users can exploit this to execute arbitrary commands, escalate to root privileges, and potentially cause a complete denial of service.

TL;DR

Authenticated administrative users can execute arbitrary commands and escalate to root in Cisco ISE via crafted HTTP requests due to insufficient input validation. Single-node deployments risk complete denial of service.

Technical Details

CWE ID: CWE-77
Attack Vector: Network
Authentication Required: Yes (Administrative credentials)
CVSS v3.1 Score: 9.9 (Critical)
Exploit Status: Unexploited / No public PoC
CISA KEV: Not Listed
Impact: Remote Code Execution (Root) / DoS
Vendor Bug ID: CSCws52738

Affected Systems

Cisco Identity Services Engine (ISE)
Cisco ISE Passive Identity Connector (ISE-PIC)
Cisco Identity Services Engine (ISE): 3.1.0 <= 3.1.0 p10 (Fixed in: 3.1.0 Patch 11)
Cisco Identity Services Engine (ISE): 3.2.0 <= 3.2.0 p9 (Fixed in: 3.2.0 Patch 10)
Cisco Identity Services Engine (ISE): 3.3.0 <= 3.3 Patch 9 (Fixed in: 3.3 Patch 10)
Cisco Identity Services Engine (ISE): 3.4.0 <= 3.4 Patch 5 (Fixed in: 3.4 Patch 6)
Cisco Identity Services Engine (ISE): 3.5.0 <= 3.5 Patch 2 (Fixed in: 3.5 Patch 3)
Cisco ISE Passive Identity Connector (ISE-PIC): 3.1.0
Cisco ISE Passive Identity Connector (ISE-PIC): 3.2.0
Cisco ISE Passive Identity Connector (ISE-PIC): 3.3.0
Cisco ISE Passive Identity Connector (ISE-PIC): 3.4.0

Mitigation Strategies

Upgrade Cisco ISE and ISE-PIC to the latest patched versions provided by the vendor.
Restrict network access to the ISE web-based management interface to trusted administrative subnets.
Audit and enforce the principle of least privilege for all ISE administrative accounts.
Monitor administrative logs for anomalous configuration changes or system diagnostic executions.

Remediation Steps:

Identify the current version of Cisco ISE or ISE-PIC running in the environment.
Download the appropriate patch file from the official Cisco Software Central portal.
Backup the current ISE configuration and system state.
Apply the patch during a scheduled maintenance window.
Verify successful installation and test authentication flows to ensure stability.

References

Read the full report for CVE-2026-20147 on our website for more details including interactive diagrams and full exploit analysis.

CVE-2026-32176: CVE-2026-32176: Elevation of Privilege via SQL Injection in Microsoft SQL Server

CVE Reports — Thu, 16 Apr 2026 08:30:51 +0000

CVE-2026-32176: Elevation of Privilege via SQL Injection in Microsoft SQL Server

Vulnerability ID: CVE-2026-32176
CVSS Score: 6.7
Published: 2026-04-14

CVE-2026-32176 is an elevation of privilege vulnerability in the Microsoft SQL Server engine caused by improper neutralization of special elements in dynamic SQL commands. An attacker with existing high-level privileges can exploit this flaw to execute arbitrary SQL commands within an elevated context, leading to full instance takeover.

TL;DR

An authenticated, high-privileged database user can exploit an internal SQL injection flaw in SQL Server system procedures to escalate their permissions to the sysadmin level, compromising the entire database instance.

Technical Details

CWE ID: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command)
Attack Vector: Local (AV:L) / Authenticated Database Connection
Privileges Required: High (e.g., db_owner)
CVSS v3.1 Score: 6.7 (Medium)
Impact: Local Elevation of Privilege to sysadmin
EPSS Score: 0.00072 (21.99th percentile)
Exploit Status: None / Private
CISA KEV: Not Listed

Affected Systems

Microsoft SQL Server 2025
Microsoft SQL Server 2022
Microsoft SQL Server 2019
Microsoft SQL Server 2017
Microsoft SQL Server 2016
SQL Server 2025: < 17.0.1110.1 (GDR) (Fixed in: 17.0.1110.1)
SQL Server 2022: < 16.0.1175.1 (GDR) (Fixed in: 16.0.1175.1)
SQL Server 2019: < 15.0.2165.1 (GDR) (Fixed in: 15.0.2165.1)
SQL Server 2017: < 14.0.2105.1 (GDR) (Fixed in: 14.0.2105.1)
SQL Server 2016: < 13.0.6485.1 (GDR) (Fixed in: 13.0.6485.1)

Mitigation Strategies

Apply the official Microsoft GDR or CU updates provided in the April 2026 Patch Tuesday release.
Enforce the Principle of Least Privilege by minimizing the number of users in the db_owner role.
Disable the PolyBase feature using sp_configure if it is not actively utilized in the environment.
Enable and monitor SQL Server Audit logs for anomalous executions of system stored procedures.

Remediation Steps:

Identify the exact version and edition of the target SQL Server instances.
Download the appropriate KB update (e.g., KB5084814 for SQL Server 2025) from the Microsoft Update Catalog.
Schedule a maintenance window, as the SQL Server service will require a restart during the patching process.
Apply the patch and verify the build number using 'SELECT @@version' to ensure the update was successful.
Review user role assignments across all user databases to ensure non-administrative users do not possess unintended high privileges.

Read the full report for CVE-2026-32176 on our website for more details including interactive diagrams and full exploit analysis.