Overview
- WordPress
- WordPress
Description
Statistics
- 16 Posts
- 52 Interactions
Fediverse
Update your WordPress to 7.0.2/6.9.5, it's important
ETA: the above text is not a call for CMS evangelists, just fucking don't thanks
@shellsharks New fodder for vulnerability.garden: wp2shell is CVE-2026-63030 / https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ff9f-jf42-662q
WordPress pre-auth RCE CVE-2026-63030 chains a REST batch bug with SQL injection. Details and a public PoC are out. Update to WordPress 7.0.2 now.
#WordPress #PreAuthRCE #CVE202663030 #SQLInjection #wp2shell #WebSecurity #InfoSec
‼️🚨 CVE-2026-63030 // wp2shell-poc: Proof-of-concept for an unauthenticated SQL injection in WordPress core that chains to remote code execution, via REST batch route confusion.
📰 Critical Unauthenticated RCE Flaw Found in WordPress Core
Critical unauthenticated RCE vulnerability (CVE-2026-63030) found in WordPress Core. Affects versions 6.9.x and 7.0.x. Allows full site takeover via REST API. Update to 6.9.5 or 7.0.2 now! #WordPress #CVE #RCE #PatchNow
🌐 cyber[.]netsecops[.]io
⚡ UPDATE: #wp2shell now has two CVEs, and a working proof-of-concept is public.
> CVE-2026-63030 breaks REST batch routing
> CVE-2026-60137 injects SQL
Chained, they give an anonymous attacker code execution on affected WordPress sites.
How the exploit path works: https://thehackernews.com/2026/07/new-wp2shell-wordpress-core-flaw-lets.html
#WordPress admins - we got you covered! 🫡 → We've just shipped detection for #wp2shell through our Network Scanner. ⚡️ The fastest way to use it is to:
◉ run a single-CVE scan for CVE-2026-63030 - which also covers CVE-2026-60137 - the SQL injection flaw that chains to give attackers RCE
◉ Based on your scan results, either patch or confirm you're already on 6.8.6, 6.9.5, or 7.0.2.
◉ Re-scan to confirm remediation and rule out residual exposure across your other assets.
Remember: updating your main install doesn't cover *every* WP instance you own. Using Pentest-Tools.com means you can expand visibility across your wider attack surface, not just the site you remember exists.
Technical CVE details below. ↘︎↘︎↘︎
See why an estimated 500+ million websites running WP are vulnerable to this critical vulnerability: https://pentest-tools.com/vulnerabilities-exploits/wordpress-core-69-701-pre-auth-blind-sql-injection-batch-route-confusion_29451
WordPress Core "wp2shell" CRITICAL RCE chain (CVE-2026-63030 & CVE-2026-60137) actively exploited. Affects 6.9.0 – 6.9.4 & 7.0.0 – 7.0.1. Public PoCs out. Patch to 6.9.5/7.0.2 ASAP. Block REST API endpoints as temp mitigation. https://radar.offseq.com/threat/wordpress-core-wp2shell-rce-flaws-get-public-exploits-patch-now-99579d9a7c571599 #OffSeq #WordPress #RCE #Vuln
Bluesky
Overview
- WordPress
- WordPress
Description
Statistics
- 9 Posts
- 42 Interactions
Fediverse
Update your WordPress to 7.0.2/6.9.5, it's important
ETA: the above text is not a call for CMS evangelists, just fucking don't thanks
⚡ UPDATE: #wp2shell now has two CVEs, and a working proof-of-concept is public.
> CVE-2026-63030 breaks REST batch routing
> CVE-2026-60137 injects SQL
Chained, they give an anonymous attacker code execution on affected WordPress sites.
How the exploit path works: https://thehackernews.com/2026/07/new-wp2shell-wordpress-core-flaw-lets.html
#WordPress admins - we got you covered! 🫡 → We've just shipped detection for #wp2shell through our Network Scanner. ⚡️ The fastest way to use it is to:
◉ run a single-CVE scan for CVE-2026-63030 - which also covers CVE-2026-60137 - the SQL injection flaw that chains to give attackers RCE
◉ Based on your scan results, either patch or confirm you're already on 6.8.6, 6.9.5, or 7.0.2.
◉ Re-scan to confirm remediation and rule out residual exposure across your other assets.
Remember: updating your main install doesn't cover *every* WP instance you own. Using Pentest-Tools.com means you can expand visibility across your wider attack surface, not just the site you remember exists.
Technical CVE details below. ↘︎↘︎↘︎
See why an estimated 500+ million websites running WP are vulnerable to this critical vulnerability: https://pentest-tools.com/vulnerabilities-exploits/wordpress-core-69-701-pre-auth-blind-sql-injection-batch-route-confusion_29451
WordPress Core "wp2shell" CRITICAL RCE chain (CVE-2026-63030 & CVE-2026-60137) actively exploited. Affects 6.9.0 – 6.9.4 & 7.0.0 – 7.0.1. Public PoCs out. Patch to 6.9.5/7.0.2 ASAP. Block REST API endpoints as temp mitigation. https://radar.offseq.com/threat/wordpress-core-wp2shell-rce-flaws-get-public-exploits-patch-now-99579d9a7c571599 #OffSeq #WordPress #RCE #Vuln
Bluesky
Overview
Description
Statistics
- 1 Post
- 5 Interactions
Fediverse
Hollo security updates: 0.8.9 and 0.9.9
If you run Hollo, update to a patched release now. CVE-2026-62857 affects Fedify's NodeInfo client, which Hollo uses to identify the software running on remote ActivityPub servers.
A NodeInfo lookup starts by fetching a remote server's /.well-known/nodeinfo document, then follows the NodeInfo document URL advertised in that response. The vulnerable getNodeInfo() path fetched both URLs without validating that they resolved to public network destinations. Because the second URL comes directly from a response controlled by the remote server, it could point to a loopback address, a link-local cloud metadata endpoint, an RFC 1918 private address, or even a data: URL.
An attacker who controls a remote server that Hollo discovers could therefore make the Hollo instance initiate requests to non-public network destinations, depending on the deployment environment and network routing.
The fix applies Fedify's public-address validation to both NodeInfo requests and every redirect hop. It also caps redirects, refuses cross-protocol redirects, and rejects non-HTTP(S) URLs. As a result, NodeInfo lookups for private or intranet addresses are now refused.
For full technical details of the underlying vulnerability, see the Fedify security advisory and the Fedify security announcement.
All Hollo versions in the supported 0.8.x and 0.9.x release lines up to and including 0.8.8 and 0.9.8 are affected. Patched releases are 0.8.9 for the 0.8.x series and 0.9.9 for the 0.9.x series.
Hollo 0.7.x is also affected. It and earlier release lines are no longer supported under the Hollo security policy. Upgrade to a supported release series rather than remaining on an older version.
For 0.8.x deployments, update to 0.8.9:
docker pull ghcr.io/fedify-dev/hollo:0.8.9For 0.9.x deployments, update to 0.9.9:
docker pull ghcr.io/fedify-dev/hollo:0.9.9After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.
Thanks to @rvzsec and @manus-use for the report and responsible disclosure to the Fedify project.
If anything is unclear, ask below.
Overview
- Canonical
- ubuntu-pro-client (ubuntu-advantage-tools)
- ubuntu-pro-client
Description
Statistics
- 1 Post
- 5 Interactions
Fediverse
Ubuntu Pro Client vulnerability CVE-2026-11386 (CVSS 9.0) lets a spoofed contract server inject APT sources and run code with root privileges.
#Ubuntu #UbuntuPro #CVE202611386 #Canonical #RCE #Linux #CyberSecurity
Overview
- @fastify/http-proxy
- @fastify/http-proxy
Description
Statistics
- 2 Posts
- 2 Interactions
Fediverse
🚨 Critical-severity security fix in @fastify/http-proxy@11.6.0 just released!
Patches CVE-2026-16117, prefix escape via URL-encoded characters.
https://github.com/fastify/fastify-http-proxy/security/advisories/GHSA-mx7v-qhg9-2mvv
Overview
- IBM
- Langflow OSS
Description
Statistics
- 1 Post
- 2 Interactions
Overview
- ServiceNow
- ServiceNow AI Platform
Description
Statistics
- 1 Post
- 1 Interaction
Overview
- scikit-hep
- uproot
Description
Statistics
- 1 Post
- 1 Interaction
Fediverse
scikit-hep uproot has a HIGH-severity code injection flaw (CVE-2026-9147, CVSS 8.5). Malicious ROOT files can trigger arbitrary Python code execution. Avoid untrusted files until fixed. Full details: https://radar.offseq.com/threat/cve-2026-9147-improper-control-of-generation-of-code-code-injection-in-scikit-hep-uproot-a352d097ded08c6a #OffSeq #Vulnerability #Python #ThreatIntel
Overview
Description
Statistics
- 1 Post
- 1 Interaction
Overview
- codeigniter4
- CodeIgniter4
Description
Statistics
- 1 Post
- 1 Interaction
Fediverse
CVE-2026-48062 - Unpatched Code Execution in CodeIgniter. MIME validation bypass allows PHP file upload with GIF content. CVSS 9.8. Update to 4.7.3 immediately. #CVE #CodeIgniter #infosec