Daily Threat Briefing — 2026-03-26

CISA KEV: Embedded malicious code in Trivy scanner allows attackers to access all CI/CD environment secrets including tokens, SSH keys, cloud credentials, and database passwords. Immediate remediation required.

Path traversal vulnerability allows attackers to bypass all authentication and access control via crafted URLs with traversal sequences. Complete compromise of protected resources possible.

API endpoint /api/file/readDir allows unauthenticated traversal and retrieval of all document filenames across notebooks without authentication checks.

Chained with CVE-2026-33670, attackers can retrieve document IDs and view complete content of all documents via /api/block/getChildBlocks without authentication.

Pongo2 template vulnerability in instance lifecycle management allows root-level arbitrary read/write operations on host server filesystem through template exploitation.

Django REST Framework configured with BasicAuthentication without rate limiting allows credential brute-force attacks. AllAuth rate limiting not enforced on API endpoints.

Pagination token encryption weakness in listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers APIs enables SQL injection attacks.

Flawed pagination implementation allows SQL injection through encrypted pagination tokens, compromising authorization relationship data.

ListCourierMessages Admin API vulnerable to SQL injection via pagination token manipulation, exposing user communication data.

OAuth2 introspection authenticator cache fails to distinguish between different OAuth2 configurations, enabling authentication bypass through cache poisoning.

Payment verification function unconditionally skips signature validation for localhost requests, allowing payment transaction manipulation.

SAML-to-OAuth bridge accepts untrusted callbackUrl parameter enabling DOM XSS attacks during authentication flows.

macOS file-system access policy enforcement limited to ES_EVENT_TYPE_AUTH_OPEN events, allowing bypass through seven alternative file operation events.

Stack-based buffer overflow in POST request handler function formQuickIndex via PPPOEPassword parameter enables remote code execution.

Stack-based buffer overflow in fromAddressNat function through page parameter manipulation allows remote exploitation.

Authenticated remote code execution in web management interface when gateway mode enabled. Exploitable via specially crafted requests.

Laravel-based Sharp CMS FileUtil class fails to sanitize file extensions, allowing path separators to traverse storage layer and access arbitrary files.

Upload endpoint accepts client-controlled file type declarations, bypassing all file type restrictions for authenticated users.

Authenticated path traversal in chunked upload endpoint via checkSum field enables writing arbitrary files outside intended directories.

E-commerce platform vulnerable to stored XSS through database injection, exploitable by attackers with limited back-office access.

Flow YAML metadata fields rendered with html:true in Markdown component, enabling XSS through user-supplied description and input fields.

ALLOWED_HOSTS='*' configuration accepts arbitrary Host headers, enabling cache poisoning and password reset link hijacking attacks.

Bulk operation API endpoints can be hijacked to exfiltrate sensitive database information through specially crafted requests.

Glob matcher vulnerable to Regular Expression Denial of Service when processing crafted extglob patterns with overlapping quantifiers.

Multiple sequential optional groups generate exponentially growing regex patterns, causing denial of service.

Malformed DICOM files with non-standard VR types trigger vast memory allocations and resource depletion in Grassroots DICOM library.

S3 SSE-C encryption key exposed in plaintext through /status/config endpoint, potentially allowing unauthorized trace data decryption.

x0vncserver Image.cxx component allows unauthorized users to observe, manipulate screen contents, or crash application due to permission errors.

validateSignature function uses map iteration to match references, causing non-deterministic behavior in Go <1.22 that may bypass signature validation.

Stack-based buffer overflow in Zen C compiler allows arbitrary code execution during compilation via specially crafted source files.

llama-stack-operator lacks NetworkPolicy restrictions, allowing unauthorized cross-namespace access to Llama Stack services via direct network requests.

20 distinct malicious URLs identified hosting ClearFake fake browser update pages masquerading as Google verification. Domains span multiple infrastructure clusters including blackpeakstorage, whitetideinterface, coldstonemetrics, wildbranchcluster, ironrootprocessor, darkcloudgateway, bluepointterminal, and donkeyemploy networks.

Domain svc1sync.donkeyemploy[.]in.net observed distributing both ClearFake and ACRStealer malware, indicating multi-payload delivery capability.

Multiple IP addresses distributing 32-bit ELF Mozi variants for MIPS architecture devices through /bin.sh and /i endpoints. Source IPs include 91.143.172.196, 217.208.164.149, 115.58.170.232, 110.39.235.153, 59.88.4.199, 117.209.95.226, 27.193.157.41, 115.55.222.214, and 59.95.91.84.

ARM-architecture Mirai variants distributed from IPs 115.49.113.83, 223.151.251.178, 182.46.32.21, 60.20.51.232, and 42.242.128.139. Combined ARM/MIPS payloads observed indicating multi-architecture targeting.

IP 31.57.201.154 hosting complete Mirai deployment infrastructure with massload script and architecture-specific binaries (arm4, arm5, arm7, mips, mpsl) using wget-based user agents.

URL at 192.177.26.196/files/5848981546/hRw1yLa.exe distributing Smoke Loader malware dropped by Amadey initial access trojan. Tagged for C2 monitoring automation.