Research

1. Overview A server-side request forgery (SSRF) vulnerability exists in Microsoft Exchange Server’s Exchange Web Services (EWS) InstallApp operation. When an authenticated user submits a ManifestUrl parameter via the InstallApp SOAP request, Exchange downloads the manifest from the supplied URL. The intranet address check that prevents SSRF is gated on the isBposUser flag, which is false for all on-premises Exchange deployments. This means the check is bypassed entirely in non-cloud environments, allowing an authenticated user to force the Exchange server to make HTTP requests to arbitrary internal or external URLs. Microsoft addressed this vulnerability in the June 2026 security update (KB5094139). ...

1. Overview A reflected cross-site scripting vulnerability exists in three SharePoint Server workflow management pages. The DocURL query string parameter is rendered directly into HTML anchor tag href attributes without any encoding, allowing an attacker to inject arbitrary HTML attributes including JavaScript event handlers. An unauthenticated attacker can craft a malicious URL and deliver it to an authenticated SharePoint user; when the victim visits the link and hovers over the page’s tab navigation, the injected JavaScript executes in the SharePoint origin context, enabling session hijacking and unauthorized actions. Microsoft addressed this vulnerability in the June 2026 security update (KB5002880 for SharePoint Server 2016, KB5002874 for SharePoint Server 2019). ...

1. Overview A path traversal vulnerability exists in the SharePoint Server file upload page (Upload.aspx). The UploadPage.CurrentFolder property resolves the upload destination from the user-supplied RootFolder query string parameter without validating that the resolved folder belongs to the document library specified by the List parameter. An authenticated attacker with upload permissions to one document library can craft a request that uploads files to a different, restricted document library on the same site — including the Master Page Gallery (_catalogs/masterpage). ...

1. Overview A vulnerability exists in SolarWinds Serv-U’s HTTP request handler that processes Content-Encoding: deflate encoded POST bodies. The server decompresses incoming deflate-encoded payloads without enforcing any limit on the decompressed size, allowing an attacker to send a small (~260KB) compressed payload that expands to hundreds of megabytes or gigabytes in memory. This uncontrolled memory allocation causes the Serv-U process to crash with SIGABRT, resulting in a complete denial of service. The attack requires no authentication and can be performed by any network-accessible client. SolarWinds addressed this vulnerability in Serv-U 15.5.4 Hotfix 1, released June 4, 2026. CISA added this CVE to the Known Exploited Vulnerabilities catalog on June 5, 2026, citing active exploitation in the wild. ...

1. Overview A use-after-free vulnerability exists in ISC BIND 9’s DNS-over-HTTPS (DoH) implementation. When a DoH response has been sent, the response buffer is freed but a dangling pointer (socket->h2->wbuf) is left pointing to the freed memory. If a client floods HTTP/2 SETTINGS frames that change INITIAL_WINDOW_SIZE, the nghttp2 library re-evaluates stream flow control and calls the data provider callback (server_read_callback), which reads from the freed buffer via memmove(). The UAF read is confirmed by AddressSanitizer and reliably crashes ASAN-instrumented builds (~40% per round). Against production BIND builds using jemalloc, the freed memory remains mapped and the read succeeds silently — the server does not crash. Information disclosure via the HTTP/2 DATA stream was not confirmed: although server_read_callback reads freed heap bytes, nghttp2 discards the result because the stream’s data provider had already signaled EOF; no extra bytes are transmitted to the attacker. The practical impact is therefore denial of service against hardened builds, and a latent memory safety violation in production that could become exploitable if nghttp2’s internal handling changes. ISC addressed this vulnerability in BIND 9.20.23 and 9.21.22. ...

1. Overview A vulnerability exists in the Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress, in the password reset functionality exposed via the REST API. The handle_forgot_password endpoint accepts a username and an arbitrary email address; when a reset is requested by username, the plugin generates a valid password reset key but sends the reset link to the attacker-supplied email instead of the user’s registered email. An unauthenticated attacker can exploit this to receive the password reset link for any user account—including administrator—and take over the account by resetting its password. The vulnerability affects versions 6.0.0 through 6.0.6 and was fixed in version 6.0.7. ...

1. Overview A path traversal vulnerability exists in the Apache MINA SSHD sshd-git module, which provides Git-over-SSH server functionality. The module fails to validate user-supplied repository paths for directory traversal sequences when handling git-upload-pack and git-receive-pack commands. An SSH-authenticated attacker can supply paths containing ../ to escape the configured Git root directory and access arbitrary Git repositories on the server filesystem, exfiltrating source code, configuration, and secrets. The vulnerability also permits unauthorized writes to repositories via git-receive-pack (push). Apache addressed this vulnerability in MINA SSHD 2.18.0 and 3.0.0-M4, released May 2026. ...

1. Overview A path traversal vulnerability exists in the Gravity Forms WordPress plugin’s file deletion mechanism. When processing entries that contain file upload fields, the plugin converts stored file URLs to filesystem paths using a simple string replacement without validating that the resulting path remains within the uploads directory. An unauthenticated attacker can submit a form with a crafted gform_uploaded_files parameter containing directory traversal sequences (../), which are stored in the entry database. When a privileged user subsequently deletes the entry or its attached files, the traversal sequences cause the plugin to delete arbitrary files on the server. Deleting critical files such as wp-config.php results in complete site unavailability. Rocketgenius addressed this vulnerability in Gravity Forms version 2.10.1. ...

1. Overview A critical SQL injection vulnerability exists in the dotCMS Core content management system’s Publish Audit API. The /api/auditPublishing/getAll REST endpoint accepts a JSON array of bundle identifiers and passes them unsanitized into a SQL query via string concatenation, allowing an attacker to inject arbitrary SQL statements. The endpoint requires no authentication, enabling an unauthenticated remote attacker to read, modify, or destroy the entire dotCMS PostgreSQL database with a single HTTP request. dotCMS addressed this vulnerability in version 26.04.28-03 by parameterizing the SQL query and adding Push Publish JWT token authentication to the affected endpoints. ...

1. Overview A heap buffer overflow vulnerability exists in the NGINX ngx_http_rewrite_module when processing rewrite directives that use overlapping Perl-Compatible Regular Expression (PCRE) capture groups with a redirect or query-string replacement. When a rewrite rule like ^/((.*))$ produces multiple captures referencing the same URI content and the replacement string references both captures (e.g., $1$2), the buffer allocation underestimates the space needed for URI-escaped output, leading to a heap overflow in the worker process. An unauthenticated remote attacker can send crafted HTTP requests containing URI characters that require escaping (such as +) to crash the NGINX worker process or potentially achieve remote code execution. The vulnerability provides both a controlled heap write primitive and an information disclosure primitive — the overflow causes adjacent heap data (including pool pointers) to leak into the HTTP response, enabling ASLR bypass. Combined with the attacker-controlled overflow content and nginx’s deterministic pool allocator, this creates a viable path to code execution. F5/NGINX addressed this vulnerability in nginx 1.31.1 (mainline) and 1.30.2 (stable), released May 22, 2026. ...