Vulnerability Trends — Top Exploited CVEs and Zero-Days | dbugs
#1 · PT-2026-53941 · Orkes · Orkes Conductor
9.8
Critical
Base
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions
Orkes Conductor versions 3.21.21 through 3.30.1
Description
An unauthenticated remote code execution issue allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint. This occurs when unsandboxed GraalVM evaluators are configured with
MoreHostAccess.ALL or...Exploit
Fix
RCE
Code Injection
X.com
3 Posts
6Reposts
406.8 K Audience
Related posts · 5
We're sharing our deep dive into CVE-2026-58138, a critical unauthenticated RCE in Conductor with a CVSS score of 9.8, where a single POST request can lead to arbitrary OS command execution on the server.
The post walks through how the vulnerability reaches GraalJS and GraalPy evaluators, how we reproduced it across multiple workflow task types, and how OpenTaint traced the complete path from HTTP input to code execution.
If you run Conductor, upgrade to version 3.30.2 or later, and take a look at the full technical analysis: https://t.co/xmIyhOvTos
2026-07-16 14:33:52
🚨 CVE-2026-58138
Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint prior to authentication. Attackers can exploit unsandboxed GraalVM evaluators configured with HostAccess.ALL or allowAllAccess(true) through INLINE, LAMBDA, DO_WHILE, and SWITCH task types to invoke arbitrary system commands via Java reflection or direct subprocess calls.
🎖@cveNotify
2026-07-01 16:23:29
CVE-2026-58138 Orkes Conductor
Unauthenticated RCE could let attackers execute OS commands, turning orchestration infrastructure into a wider operational compromise risk
Full analysis:
https://t.co/MJtABOyUu5
#CyberSecurity #VulnerabilityManagement #CloudSecurity
2026-07-01 09:54:10
#2 · PT-2026-58211 · Microsoft · Age Of Empires Ii: Definitive Edition Game
CVE-2026-50663
·
Published
2026-07-14
·
Updated
2026-07-16
8.8
High
Base
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions
Age of Empires II: Definitive Edition (affected versions not specified)
Description
A relative path traversal issue allows an unauthorized attacker to achieve remote code execution over a network. The attack occurs when a user joins an attacker-controlled lobby and accepts User Generated Content (UCG), which is content created by players rather than the developers.
**Recomm...
MoreRCE
Relative Path Traversal
X.com
4 Posts
264Reposts
236.0 K Audience
Related posts · 4
Microsoft patches Age of Empires II bug that enabled RCE via game invite
What this means
Here's the thing: even a 25-year-old strategy classic can still open a hole in your PC. In Tuesday's Patch Tuesday, Microsoft fixed CVE-2026-50663 in the remastered Age of Empires II. Security researchers say a crafted malicious game invite could let attackers take over a victim's machine — join a lobby, auto-accept user-generated content, get remote code execution. Rapid7 notes success meant planting malicious files and running code. No evidence of in-the-wild exploitation yet, but gaming invites are a known malware delivery path for password theft and more.
Hidden points
- Part of a record-size Microsoft patch batch that the company partly credits to AI-assisted bug discovery
- Researcher Rick de Jager posted a demo on X of the AoE RCE chain
- Remastered multiplayer path is the risk surface — not just offline campaign nostalgia
- Classic lesson: old software still shipping online features inherits modern threat models
Real impact / takeaways
Basically, if you still play AoE II online, update now and treat random lobby invites like sketchy email attachments. For security teams, game clients remain a soft underbelly on corporate machines. For Microsoft, it's another reminder that the gaming catalog is part of the enterprise patch surface, not a side hobby.
Bottom line
Microsoft patched an Age of Empires II remaster flaw that could RCE a PC through a malicious game invite — no known mass exploit yet, still worth updating.
Source : TechCrunch
#Microsoft #Cybersecurity #AgeOfEmpires #PatchTuesday #Gaming
2026-07-16 05:07:58
Yes, please hold.
“Security researcher @rdjgr details CVE-2026-50663, an Age of Empires RCE vulnerability from Patch Tuesday that lets attackers achieve remote code execution when victims join a malicious lobby and accept UGC.
• The core issue is a path traversal bug reachable through custom scenarios or lobby file transfers, allowing file overwrites such as the bug reporter EXE or game DLLs with limited user interaction.
• Exploitation uses real-time traffic interception via a custom proxy inspired by Burp Suite, built through reverse engineering; the fix shipped in April 2026 but received its CVE assignment later.”
2026-07-16 03:39:00
Microsoft fixed an Age of Empires RCE from yesterday’s Patch Tuesday (CVE-2026-50663). Here is an example of how it was done.
2026-07-15 20:16:12
#3 · PT-2026-34274 · Linux · Linux Kernel
7.8
High
Base
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to 7.0
Linux kernel versions prior to 6.19.12
Description
A flaw exists in the
Morealgif aead cryptographic algorithm interface of the Linux kernel. The issue stems from an incorrect in-place operation during cryptographic processing where source and destination data mappings differ. A local attacker with low privileges can exploit this by splicing...Exploit
Fix
RCE
DoS
LPE
Use After Free
X.com
849 Posts
6.7 KReposts
5.4 M Audience
Related posts · 1131
page_inject: CVE-2026-31431-killed page-cache exploit — code exec into containers sharing the same image layer https://t.co/MpE67wx8Lk #cyber #threathunting #infosec
2026-07-15 15:27:41
The "Copy Fail" kernel LPE (CVE-2026-31431) is a good reminder that kernel CVEs are annoying to automate well: you have to patch, reboot to actually activate the new kernel, but you don't want to reboot 400 hosts that didn't get a kernel bump. Here's the pattern I use so the reboot is conditional and I get audit evidence out of the same run.
Record the running kernel, patch security-only, then reboot only if it changed:
- name: Running kernel before
command: uname -r
register: kern_before
changed_when: false
- name: Apply security updates
ansible.builtin.dnf:
name: "*"
security: true
state: latest
register: patch
- name: Newest installed kernel after
command: rpm -q --last kernel
register: kern_after
changed_when: false
- name: Reboot only if the kernel actually changed
ansible.builtin.reboot:
msg: "Activating patched kernel"
when: kern_before.stdout not in (kern_after.stdout_lines[0] | default(''))
Then scan AFTER the reboot (not before — otherwise your report reflects the pre-patch state and you chase findings that are already fixed):
- name: OpenSCAP eval -> dated ARF + HTML
command:
argv:
- oscap
- xccdf
- eval
- --profile
- xccdf_org.ssgproject.content_profile_stig
- --results-arf
- "/var/log/evidence/arf-{{ inventory_hostname }}-{{ ansible_date_time.iso8601_basic_short }}.xml"
- --report
- "/var/log/evidence/report-{{ inventory_hostname }}-{{ ansible_date_time.iso8601_basic_short }}.html"
- "/usr/share/xml/scap/ssg/content/ssg-rhel{{ ansible_distribution_major_version }}-ds.xml"
register: oscap
failed_when: oscap.rc not in [0, 2]
changed_when: false
Two gotchas that have bitten me:
- security: true needs the repo to publish updateinfo metadata. On minimal/custom mirrors it's missing and dnf silently patches nothing. Check `dnf updateinfo list security` on one host first.
- Dated evidence paths let you diff week-over-week and hand an auditor proof of remediation instead of "trust me."
I packaged the whole thing (targeted-CVE mode, canary rings, version-aware datastream) into a small MIT role if it's useful: https://github.com/arhab194/rhel-kev-patch
Curious how others here sequence scan-vs-reboot — do you scan pre-patch to prove the finding or post-patch to prove the fix?
2026-07-15 13:27:47
Fixes available for CVE-2026-31431 (Copy Fail) Linux Kernel Local Privilege Escalation Vulnerability https://t.co/ElHgzcOMKO
2026-07-15 02:23:00
#4 · PT-2026-60346 · 7 Zip · 7-Zip
CVE-2026-14266
·
Published
2026-07-15
·
Updated
2026-07-17
None
Name of the Vulnerable Software and Affected Versions
7-Zip versions prior to 26.02
Description
A flaw in the processing of XZ chunked data allows remote attackers to execute arbitrary code in the context of the current process. The issue occurs when the software processes specially crafted XZ-compressed data streams, triggering a heap-based buffer overflow. A heap-based buffer overflow is a memory corruption issue that happens...
MoreX.com
9 Posts
310Reposts
77.4 K Audience
Related posts · 10
Security Alert:
A critical vulnerability (CVE-2026-14266) in 7-Zip could allow attackers to execute malicious code through specially crafted XZ archive files.
#CyberSecurity #7Zip #SecurityAlert #PatchNow https://t.co/gNgKkt5QQl
2026-07-17 15:45:10
7-Zip XZ Decompression Heap-based Buffer Overflow Remote Code Execution Vulnerability CVE-2026-14266
This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the processing of XZ chunked data. Crafted XZ-compressed data can trigger an overflow of a heap-based buffer.
An attacker can leverage this vulnerability to execute code in the context of the current process.
2026-07-17 15:14:17
7-Zip CVE-2026-14266: The Serious Flaw Is a Different One
ZDI scored it 7.0 with a LOCAL vector, not the millions-at-risk RCE in the headlines. The 8.8 with a public PoC is CVE-2026-48095. Updating to 26.02 closes both.
#cybersecurity #infosec #7zip
2026-07-17 12:16:31
#5 · PT-2026-58291 · Sonicwall · Sma1000
10
Critical
Base
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions
SonicWall SMA 1000 (affected versions not specified)
Description
An issue exists in the Appliance Work Place interface due to insufficient server-side request validation. This allows a remote unauthenticated attacker to perform a Server-Side Request Forgery (SSRF), which is a technique that forces the server to make requests to unintended locations.
Recommendations
At t...
MoreRCE
LPE
SSRF
X.com
73 Posts
170Reposts
62.9 K Audience
Related posts · 92
Volexity: UTA0533 exploited SonicWall SMA 1000 0-days (CVE-2026-15409, CVE-2026-15410) since June 2026 to achieve RCE and deploy malware. https://t.co/2l95mRkEKU
2026-07-17 23:49:27
UTA0533 chained two zero-days against SonicWall SMA 1000 appliances, achieving root RCE and deploying memory-injected backdoors. Earliest compromise observed June 22, 2026. Patch now.
-
CVE-2026-15409 (SSRF/auth bypass): unauthenticated requests to /wsproxy with User-Agent "SMA Connect Agent" and bmID starting with -3389 tunnel WebSocket connections to localhost-only services including CouchDB (port 1050) and the control service (port 8188). No session cookie required. CVE-2026-15410 (command injection): sysCtrl.execRemoveHotfix passes caller-controlled input unsanitized into a path, enabling traversal to /tmp and root-level execution. Affected models: SMA 6210, 7210, 8200v. Patched in 12.4.3-03453 and 12.5.0-02835.
-
UTA0533 dropped ROOTRUN (xzfind, SHA256: 81a9af38...), a setuid ELF binary for privilege escalation, then KNUCKLEBALL (deploy_new.py, SHA256: 8c470301...), a Python loader that injects two JAR agents into the live workplace JVM. Those agents deliver Suo5 (HTTP proxy, agent_wp8.jar) and ORANGETAIL (Behinder-like webshell, agent_wp9.jar) entirely in memory, gated behind a fake User-Agent string.
-
Key disk artifacts: /usr/bin/xzfind, /usr/lib/python3.11/site-packages/deploy_new.py, persistence line in /etc/init.d/workplace, and modified /var/lib/unit/conf.json routing /api/login and /api/logout to 127.0.0.1:8085. On Appliance 2, /var/tmp contained tcpdump captures of cleartext LDAP (port 389) traffic, confirming credential harvesting.
#DFIR_Radar
2026-07-17 23:03:37
🚨 Patch SonicWall SMA1000 now — CVE-2026-15409 (CVSS 10.0 SSRF) is being exploited in the wild, now in CISA's KEV.
Also this week: CVE-2026-13001 (Podlove WP plugin RCE, 9.8), CVE-2026-14960 (Pegatron driver LPE, 9.8), MSFT Patch Tuesday.
For more: https://t.co/ZUTqqMjQUp
2026-07-17 20:46:17