Offensive Sequence

CVE-2026-26339: CWE-918 Server-Side Request Forgery (SSRF) in Hyland Alfresco Tr CVE-2026-26339 is a critical vulnerability classified under CWE-918 (Server-Side Request Forgery) affecting the Hyland Alfresco Transformation Service (Enterprise edition). This service is responsible for document processing and transformat

🚨 CRITICAL SSRF in Hyland Alfresco Transformation Service (Enterprise) enables unauthenticated RCE. Restrict access, monitor, and patch ASAP. https://radar.offseq.com/threat/cve-2026-26339-cwe-918-server-side-request-forgery-f1de4ab8 #OffSeq #Vulnerability #Alfresco

CVE-2026-25940: CWE-116: Improper Encoding or Escaping of Output in parallax jsP CVE-2026-25940 is a vulnerability identified in the parallax jsPDF library, specifically affecting versions prior to 4.2.0. jsPDF is widely used to programmatically generate PDF documents in JavaScript environments. The vulnerability stems

HIGH severity in jsPDF < 4.2.0: Improper output encoding lets attackers inject malicious code into PDFs when users interact with forms. Upgrade to 4.2.0+ & sanitize inputs! https://radar.offseq.com/threat/cve-2026-25940-cwe-116-improper-encoding-or-escapi-3b5e393d #OffSeq #jsPDF #security

CVE-2026-26360: CWE-73: External Control of File Name or Path in Dell Unisphere CVE-2026-26360 is a vulnerability classified under CWE-73 (External Control of File Name or Path) found in Dell Unisphere for PowerMax, specifically version 10.2. This vulnerability allows a remote attacker with low privileges to manipulate

Dell Unisphere for PowerMax v10.2 is at HIGH risk: CVE-2026-26360 enables remote file deletion by low-priv users. Restrict access, enforce least privilege, monitor for unusual file activity. Patch pending. https://radar.offseq.com/threat/cve-2026-26360-cwe-73-external-control-of-file-nam-58de98ef...

CVE-2026-22267: CWE-266: Incorrect Privilege Assignment in Dell PowerProtect Dat CVE-2026-22267 is an Incorrect Privilege Assignment vulnerability classified under CWE-266 affecting Dell PowerProtect Data Manager versions prior to 19.22. This vulnerability allows a low-privileged attacker who has remote access to the sy

Dell PowerProtect Data Manager pre-19.22 has a HIGH severity flaw (CVE-2026-22267) allowing remote privilege escalation. Restrict access, monitor for abuse, and contact Dell for updates. https://radar.offseq.com/threat/cve-2026-22267-cwe-266-incorrect-privilege-assignm-254d0ded #OffSeq #Vulnerabi...

CVE-2026-26358: CWE-862: Missing Authorization in Dell Unisphere for PowerMax CVE-2026-26358 is a vulnerability classified under CWE-862 (Missing Authorization) affecting Dell Unisphere for PowerMax, specifically version 10.2. The flaw arises because the software fails to properly enforce authorization checks on cert

Dell Unisphere for PowerMax 10.2 hit by a HIGH severity vuln: missing authorization lets remote low-priv users access sensitive storage ops. Restrict access, strengthen auth, monitor now! Details: https://radar.offseq.com/threat/cve-2026-26358-cwe-862-missing-authorization-in-de-3cb4a373 #OffSeq ...

CVE-2026-26358: CWE-862: Missing Authorization in Dell Unisphere for PowerMax CVE-2026-26358 is a vulnerability classified under CWE-862 (Missing Authorization) affecting Dell Unisphere for PowerMax, specifically version 10.2. The flaw arises because the software fails to properly enforce authorization checks on cert

Dell Unisphere for PowerMax hit by HIGH severity bug (CVE-2026-26358) — low-priv remote attackers can bypass auth & access sensitive storage. Restrict access, monitor activity, apply patches when out. https://radar.offseq.com/threat/cve-2026-26358-cwe-862-missing-authorization-in-de-3cb4a373 #Off...

CVE-2026-26360: CWE-73: External Control of File Name or Path in Dell Unisphere Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability to delete arbitrary files.

Dell Unisphere for PowerMax 10.2 faces a HIGH severity flaw (CVE-2026-26360). Remote, low privilege attackers can delete files. Monitor for fixes and restrict remote access. https://radar.offseq.com/threat/cve-2026-26360-cwe-73-external-control-of-file-nam-58de98ef #OffSeq #Dell #Security

CVE-2026-1994: CWE-269 Improper Privilege Management in clavaque s2Member – Exce The vulnerability identified as CVE-2026-1994 affects the s2Member plugin for WordPress, a widely used tool for managing memberships, content paywalls, and subscription access. The core issue stems from improper privilege management (CWE-26

⚠️ CRITICAL: s2Member plugin for WordPress lets unauthenticated attackers reset any user's password — admins included. Disable now, enforce MFA, monitor for updates. https://radar.offseq.com/threat/cve-2026-1994-cwe-269-improper-privilege-managemen-8fe39267 #OffSeq #WordPress #Security

CVE-2026-0926: CWE-98 Improper Control of Filename for Include/Require Statement CVE-2026-0926 is a critical vulnerability classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Programs) affecting the Prodigy Commerce plugin for WordPress. The flaw exists in the handling of the 'para

Prodigy Commerce plugin has a CRITICAL LFI flaw (CVE-2026-0926) on all versions — enables unauth RCE. No patch yet. Disable plugin & audit uploads now. https://radar.offseq.com/threat/cve-2026-0926-cwe-98-improper-control-of-filename--2995b72c #OffSeq #WordPress #Security

CVE-2026-2649: Integer overflow in Google Chrome CVE-2026-2649 is an integer overflow vulnerability identified in the V8 JavaScript engine component of Google Chrome prior to version 145.0.7632.109. The vulnerability arises when the engine improperly handles integer values during JavaScri

Chrome V8 flaw (HIGH severity): Integer overflow in versions <145.0.7632.109 can lead to remote code execution. Update Chrome now to stay protected! https://radar.offseq.com/threat/cve-2026-2649-integer-overflow-in-google-chrome-1776d2df #OffSeq #Chrome #Vulnerability

CVE-2026-2650: Heap buffer overflow in Google Chrome CVE-2026-2650 is a heap buffer overflow vulnerability identified in the Media component of Google Chrome versions prior to 145.0.7632.109. The vulnerability arises from improper handling of memory buffers during media processing, which can

Chrome HIGH severity buffer overflow (CVE-2026-2650): Remote attackers can exploit via crafted HTML. Update to 145.0.7632.109+ now for protection. https://radar.offseq.com/threat/cve-2026-2650-heap-buffer-overflow-in-google-chrom-0bc72c99 #OffSeq #Chrome #Security

CVE-2026-2686: OS Command Injection in SECCN Dingcheng G10 CVE-2026-2686 is a critical remote OS command injection vulnerability found in SECCN Dingcheng G10 firmware version 3.1.0.181203. The vulnerability resides in the 'qq' function within the /cgi-bin/session_login.cgi script, where the 'User'

SECCN Dingcheng G10 v3.1.0.181203 hit by CRITICAL OS command injection (CVE-2026-2686). Exploit code public — restrict access, monitor activity, and contact vendor ASAP. https://radar.offseq.com/threat/cve-2026-2686-os-command-injection-in-seccn-dingch-6d02b310 #OffSeq #Vulnerability #IoTSecurity

CVE-2026-27174: Improper Control of Generation of Code ('Code Injection') in ser CVE-2026-27174 is a severe vulnerability affecting MajorDoMo, a home automation platform developed by sergejey. The root cause is an include order bug in the file modules/panel.class.php, where a redirect() call intended to prevent unauthor

MajorDoMo users: CRITICAL RCE (CVE-2026-27174) lets unauth attackers run code remotely. Block admin panel externally, patch or disable console, and monitor now. No known exploits — move fast! https://radar.offseq.com/threat/cve-2026-27174-improper-control-of-generation-of-c-e7d5bad6 #OffSeq #Majo...

CVE-2026-27175: Improper Neutralization of Special Elements used in an OS Comman MajorDoMo, an open-source home automation platform developed by sergejey, suffers from a critical OS command injection vulnerability identified as CVE-2026-27175. The vulnerability exists in the rc/index.php endpoint, where the $param varia

MajorDoMo suffers CRITICAL OS command injection (CVSS 9.2). Unauthenticated RCE possible via rc/index.php & cycle_execs.php. Restrict access & sanitize inputs ASAP! https://radar.offseq.com/threat/cve-2026-27175-improper-neutralization-of-special--9a0f14bf #OffSeq #CVE202627175 #SmartHomeSecurity

CVE-2026-27180: Download of Code Without Integrity Check in sergejey MajorDoMo MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method through the /objects/?module=saverestor

CRITICAL: sergejey MajorDoMo has a severe RCE (CVE-2026-27180). Attackers can deploy PHP files by poisoning update URLs. Patch now and audit your update settings! 🚨 https://radar.offseq.com/threat/cve-2026-27180-download-of-code-without-integrity--99709b79 #OffSeq #CVE #security

CVE-2026-27099: Vulnerability in Jenkins Project Jenkins CVE-2026-27099 is a stored cross-site scripting (XSS) vulnerability affecting Jenkins versions 2.483 through 2.550 and LTS versions 2.492.1 through 2.541.1. The vulnerability stems from Jenkins failing to properly escape user-supplied input

Jenkins HIGH severity XSS: Versions 2.483-2.550 (LTS 2.492.1-2.541.1) allow agent-level users to inject scripts. Patch & limit agent permissions now! 🚨 https://radar.offseq.com/threat/cve-2026-27099-vulnerability-in-jenkins-project-je-f2bd90c0 #OffSeq #Jenkins #Security

CVE-2026-1426: CWE-502 Deserialization of Untrusted Data in berocket Advanced AJ CVE-2026-1426 is a vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting the berocket Advanced AJAX Product Filters WordPress plugin versions up to 3.1.9.6. The flaw exists in the shortcode_check function with

HIGH severity alert: berocket Advanced AJAX Product Filters plugin (WordPress) vulnerable to PHP Object Injection (CVE-2026-1426). Requires Author access + Live Composer. Update or remove the plugin fast! https://radar.offseq.com/threat/cve-2026-1426-cwe-502-deserialization-of-untrusted-d5d3ff22 ...

CVE-2026-1435: CWE-613 Insufficient Session Expiration in Graylog Graylog Web In CVE-2026-1435 is a critical security vulnerability identified in Graylog Web Interface version 2.2.3, classified under CWE-613 (Insufficient Session Expiration). Graylog is a popular log management and analysis platform used by organization

Graylog Web Interface 2.2.3 hit by CRITICAL flaw: old session tokens stay valid, risking unauthorized access. Restrict exposure, enforce MFA, and monitor sessions until a patch arrives. https://radar.offseq.com/threat/cve-2026-1435-cwe-613-insufficient-session-expirat-34761982 #OffSeq #Graylog #V...

CVE-2026-2329: CWE-121 Stack-based Buffer Overflow in Grandstream GXP1610 CVE-2026-2329 is a stack-based buffer overflow vulnerability classified under CWE-121, found in the HTTP API endpoint /cgi-bin/api.values.get of Grandstream GXP1610 series VoIP phones, including models GXP1610, GXP1615, GXP1620, GXP1625, GX

Grandstream GXP1610 series hit by CRITICAL vuln (CVE-2026-2329): unauth RCE via stack buffer overflow. Restrict HTTP API, segment devices, monitor for attacks. Patch when available! https://radar.offseq.com/threat/cve-2026-2329-cwe-121-stack-based-buffer-overflow--e34cb0a5 #OffSeq #VoIPSecurity #RCE

Critical Flaws Found in Four VS Code Extensions with Over 125 Million Installs Cybersecurity researchers have identified multiple critical security vulnerabilities in four popular Visual Studio Code extensions: Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. These extensions have a com

VS Code alert: CRITICAL flaws in Live Server, Code Runner & Markdown Preview Enhanced let attackers run remote code & steal files. Uninstall or disable now — patches pending. https://radar.offseq.com/threat/critical-flaws-found-in-four-vs-code-extensions-wi-563d9726 #OffSeq #Vulnerability #VSCode

CVE-2026-2495: CWE-89 Improper Neutralization of Special Elements used in an SQL CVE-2026-2495 is a SQL Injection vulnerability identified in the WPNakama plugin for WordPress, which facilitates team and multi-client collaboration, editorial, and project management functions. The vulnerability specifically targets the '

HIGH severity SQL Injection found in WPNakama plugin for WordPress (≤0.6.5). REST API flaw allows data exposure. Patch or deploy WAF now to mitigate risk! https://radar.offseq.com/threat/cve-2026-2495-cwe-89-improper-neutralization-of-sp-08e20fbb #OffSeq #WordPress #SQLInjection

CVE-2026-23647: CWE-798 Use of Hard-coded Credentials in Glory Global Solutions CVE-2026-23647 identifies a severe security vulnerability in the Glory Global Solutions RBG-100 recycler systems, specifically within the ISPK-08 software component. The root cause is the presence of hard-coded operating system credentials

CRITICAL: Hard-coded creds in Glory RBG-100 cash recyclers (CVE-2026-23647) allow remote admin access via SSH. Segment networks & restrict access ASAP — no patch yet. https://radar.offseq.com/threat/cve-2026-23647-cwe-798-use-of-hard-coded-credentia-6b5abde7 #OffSeq #vulnerability #cybersecurity

CVE-2026-1937: CWE-862 Missing Authorization in yaycommerce YayMail – WooCommerc The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `yaymail_import_state` AJAX action in all vers

CRITICAL: YayMail – WooCommerce Email Customizer flaw lets Shop Managers escalate privileges on any version. Audit user roles & restrict access now. Details: https://radar.offseq.com/threat/cve-2026-1937-cwe-862-missing-authorization-in-yay-12c0a139 #OffSeq #WordPress #WooCommerce

CVE-2026-22769: CWE-798: Use of Hard-coded Credentials in Dell RecoverPoint for CVE-2026-22769 is a critical security vulnerability identified in Dell RecoverPoint for Virtual Machines, specifically affecting versions prior to 6.0.3.1 HF1, including 5.3 SP4 P1. The vulnerability stems from the presence of hardcoded cre

Dell RecoverPoint for VMs hit by CRITICAL flaw: hardcoded creds enable remote root access (CVE-2026-22769). Upgrade or mitigate now to secure DR infra! 🔒 https://radar.offseq.com/threat/cve-2026-22769-cwe-798-use-of-hard-coded-credentia-cad7841a #OffSeq #Vulnerability #Dell

CVE-2026-26119: CWE-287: Improper Authentication in Microsoft Windows Admin Cent CVE-2026-26119 is a vulnerability classified under CWE-287 (Improper Authentication) found in Microsoft Windows Admin Center version 1809.0. Windows Admin Center is a web-based management tool for Windows servers and clusters, widely used i

HIGH severity alert: Windows Admin Center 1809.0 flaw (CVE-2026-26119) lets authorized users escalate privileges. No patch yet — restrict access & monitor for abuse. https://radar.offseq.com/threat/cve-2026-26119-cwe-287-improper-authentication-in--f09bdabb #OffSeq #WindowsAdminCenter #Vuln

CVE-2026-22048: 918 in NETAPP StorageGRID (formerly StorageGRID Webscale) CVE-2026-22048 is a Server-Side Request Forgery (SSRF) vulnerability identified in NETAPP StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.12 and 12.0.0.4. This vulnerability specifically affects deployments where Single

🚨 HIGH-severity SSRF bug in NETAPP StorageGRID — SSO + Entra ID lets authenticated users disrupt configs or access. Upgrade or disable SSO ASAP! https://radar.offseq.com/threat/cve-2026-22048-918-in-netapp-storagegrid-formerly--5c913f90 #OffSeq #NETAPP #Vuln

CVE-2026-23599: Vulnerability in Hewlett Packard Enterprise (HPE) HPE Aruba Netw CVE-2026-23599 is a local privilege escalation vulnerability identified in Hewlett Packard Enterprise's Aruba Networking ClearPass OnGuard Software running on Linux platforms, specifically affecting versions 6.11.0 and 6.12.0. The vulnerabi

🚨 HIGH risk: HPE Aruba ClearPass Policy Manager (v6.11.0 & 6.12.0) has a local privilege escalation vuln — attackers can gain root. No patch yet; restrict local access & review admin privileges. https://radar.offseq.com/threat/cve-2026-23599-vulnerability-in-hewlett-packard-en-fdc96349 #OffSeq #V...

CVE-2026-1670: CWE-306 Missing Authentication for Critical Function in Honeywell CVE-2026-1670 is a critical security vulnerability identified in the Honeywell I-HIB2PI-UL 2MP IP device, specifically in version 6.1.22.1216. The root cause is a missing authentication mechanism on a critical API endpoint that handles pass

CRITICAL: Honeywell I-HIB2PI-UL 2MP IP (v6.1.22.1216) flaw allows unauth attackers to change password recovery emails — risk of device takeover. Patch or segment devices now. https://radar.offseq.com/threat/cve-2026-1670-cwe-306-missing-authentication-for-c-7263f78b #OffSeq #Honeywell #Vulnerability

CVE-2026-2630: CWE-78 Improper Neutralization of Special Elements used in an OS CVE-2026-2630 is a critical OS Command Injection vulnerability identified in Tenable Security Center, a widely used vulnerability management and security monitoring platform. The vulnerability stems from improper neutralization of special e

Critical OS Command Injection in Tenable Security Center (CVSS 9.9) allows authenticated attackers to execute code. Restrict access & monitor activity now. Patch when available! https://radar.offseq.com/threat/cve-2026-2630-cwe-78-improper-neutralization-of-sp-3ee12498 #OffSeq #Tenable #Security

CVE-2026-2439: CWE-340 Generation of Predictable Numbers or Identifiers in BVA C CVE-2026-2439 identifies a critical vulnerability in the BVA Concierge::Sessions Perl module versions 0.8.1 up to but not including 0.8.5, related to the generation of session identifiers. The generate_session_id function attempts to create

CRITICAL: Concierge::Sessions 0.8.1 – 0.8.4 generates insecure session IDs — attackers can hijack sessions. Upgrade or use secure RNG now! https://radar.offseq.com/threat/cve-2026-2439-cwe-340-generation-of-predictable-nu-8847b5d6 #OffSeq #CVE20262439 #security