#OT #Advisory VDE-2026-011
CODESYS Control V3 - Untrusted boot application

The CODESYS Control runtime system provides a user management mechanism with multiple privilege groups. While only the privileged Administrators and Developer groups are intended to load or debug applications on the controller, users in the restricted Service group are allowed to perform maintenance operations, including explicitly replacing the boot application.
#CVE CVE-2025-41660

https://certvde.com/en/advisories/vde-2026-011/

#CSAF https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2026/advisory2026-02_vde-2026-011.json

Turning an encrypted backup into Remote Code Execution in Stackfield’s desktop app (CVE-2026-28373).

#security

https://www.rcesecurity.com/2026/03/stackfield-desktop-app-rce-via-path-traversal-and-arbitrary-file-write-cve-2026-28373/

ZAST engine has identified and verified hundreds of previously undisclosed 0-days so far in Q1 2026 across modern web applications, software supply chain code, and IoT systems.

One highlighted case is CVE-2025-68493 in Apache Struts, a widely deployed Java web framework: https://struts.apache.org/

Ecosystem exposure remains significant. Sonatype reported more than 387,000 downloads in one week for affected org.apache.struts:* artifacts, with most usage concentrated in end-of-life branches. That combination of legacy adoption and delayed remediation is exactly why verification matters for enterprise infrastructure.

Technically, the issue was an XXE in com.opensymphony.xwork2.util.DomHelper.parse(), where SAXParserFactory hardening was incomplete and external entity handling was not fully disabled.

ZAST.AI focuses on autonomous verification. Findings are promoted into reports only after successful PoC validation, which supports our zero-false-positive reporting standard and helps engineering teams spend time on issues that are demonstrably real.

Full report: https://blog.zast.ai/cybersecurity/artificial%20intelligence/The-End-of-Probabilistic-Assessment/

Source (Sonatype): https://www.sonatype.com/blog/years-old-apache-struts2-vulnerability-downloaded-325k-times-in-the-past-week

Fixed a security vulnerability regarding Telnetd (CVE-2026-32746)

I know I'm late to the game but this is one funny CVE.

A) Who uses telnet these days. Really. Who?
B) That bug has been lurking there for ... a long time. Ooof

🚨 CRITICAL: CVE-2026-4745 in dendibakh perf-ninja (CVSS 10) — remote code injection flaw in labs/misc/pgo/lua & ldo.C. No exploits yet, but restrict access, monitor logs, and prep for urgent patches. Full system compromise risk. https://radar.offseq.com/threat/cve-2026-4745-cwe-94-improper-control-of-generatio-1708b5aa #OffSeq #Vuln #AppSec

🚨 CVE-2026-4739 (CRITICAL, CVSS 9.4) in ITK: Integer overflow in Expat XML parser enables remote code execution or DoS in medical/scientific apps. Update to v2.7.1 now. User interaction required. Details: https://radar.offseq.com/threat/cve-2026-4739-cwe-190-integer-overflow-or-wraparou-4dc9a6b8 #OffSeq #Vulnerability #ITK #Infosec