QEMU abuse rising 🚨
QEMU used for stealth VMs, SSH tunnels, persistence
CVE-2025-26399, CitrixBleed2 exploited
💬 Monitoring VM layer yet?

Source: https://www.securityweek.com/hackers-abuse-qemu-for-defense-evasion/

Follow TechNadu

#InfoSec #CyberSecurity

Spinnaker, the open-source continuous delivery platform from Netflix and Google, patched CVE-2026-32613, a CVSS 9.9 remote code execution in the Echo notification service. Echo did not restrict its Spring Expression Language context to trusted classes, giving attackers full Java process access. Maintainers back-ported across four branches (2026.1.0, 2026.0.1, 2025.4.2, 2025.3.2). Quality is what maintainers do the week a critical hits an old branch.

#OpenSource #DevOps #CyberSec #Spinnaker

🚨 NewSoftOA faces a critical OS command injection (CVE-2026-5965, CVSS 9.3). Unauthenticated local attackers can run arbitrary OS commands. No patch yet — restrict access & monitor vendor updates! https://radar.offseq.com/threat/cve-2026-5965-cwe-78-improper-neutralization-of-sp-2ef8e92f #OffSeq #Infosec #Vuln

#OT #Advisory VDE-2026-032
Endress+Hauser: sudo vulnerability affects Endress+Hauser MCS200HW

The display unit of the Endress+Hauser MCS200HW is affected by a sudo chroot vulnerability.
#CVE CVE-2025-32463

https://certvde.com/en/advisories/vde-2026-032/

#CSAF https://endress-hauser.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-032.json

A security vulnerability in Azure's AI Agent allowed unauthorized access to commands, credentials, and sensitive information due to a flawed token verification system. This critical flaw, now patched and tracked as CVE-2026-32173, highlights growing concerns about AI agent security as rapid adoption outpaces governance controls.
https://www.govinfosecurity.com/token-flaw-turned-azures-ai-agent-into-spy-a-31462

🚨 HIGH severity alert: Quantum Networks QN-I-470 routers (6.1.1.B1) have a CLI OS command injection (CVE-2026-41036). Authenticated attackers can execute root commands remotely. Limit access & monitor systems. https://radar.offseq.com/threat/cve-2026-41036-cwe-78-improper-neutralization-of-s-3995b27c #OffSeq #Vuln #NetworkSecurity

ZAST has identified and verified an insecure deserialization issue in pycel <= 1.0b30, now assigned CVE-2026-30108.

Project page: https://github.com/dgorissen/pycel
Project footprint: 618 GitHub stars as of April 20, 2026.
Package page: https://pypi.org/project/pycel/
Latest PyPI release: 1.0b30 on October 13, 2021.

The verified issue is in ExcelCompiler.from_file(), which loads pickle-backed files through pickle.load() without enforcing a trust boundary. The result is a deserialization path where attacker-controlled content can execute code before the application later rejects the loaded object.

This is a representative example of why security teams need automated exploit verification. A dangerous API can often be detected syntactically. The harder problem is determining whether a real product path makes that sink reachable with untrusted input and whether the impact is real. In this case, the PoC confirmed arbitrary code execution during deserialization.

ZAST.AI promotes findings into reports only after successful PoC validation, which supports a zero-false-positive operating model and helps teams prioritize what is demonstrably real.

Full report: https://blog.zast.ai/vulnerability%20research/ai%20security/Insecure-Deserialization-in-Pycel/

⚠️ CRITICAL: CVE-2026-39918 in givanz Vvveb <1.0.8.1 allows unauth RCE via code injection in the installation endpoint (unsanitized subdir param). Restrict access, monitor for updates, and deploy WAF rules. https://radar.offseq.com/threat/cve-2026-39918-cwe-94-improper-control-of-generati-40adcadb #OffSeq #Vulnerability #RCE #PHP