🚨 CRITICAL: CyferShepard Jellystat <1.1.10 vulnerable to SQL injection (CVE-2026-41167). Auth’d users can read any DB table & execute commands on the PostgreSQL host. Upgrade to 1.1.10 ASAP! https://radar.offseq.com/threat/cve-2026-41167-cwe-89-improper-neutralization-of-s-51b08aed #OffSeq #Jellystat #SQLi #Infosec

ZAST has identified and verified an insecure deserialization issue in pycel <= 1.0b30, now assigned CVE-2026-30108.

Project page: https://github.com/dgorissen/pycel
Project footprint: 618 GitHub stars as of April 20, 2026.
Package page: https://pypi.org/project/pycel/
Latest PyPI release: 1.0b30 on October 13, 2021.

The verified issue is in ExcelCompiler.from_file(), which loads pickle-backed files through pickle.load() without enforcing a trust boundary. The result is a deserialization path where attacker-controlled content can execute code before the application later rejects the loaded object.

This is a representative example of why security teams need automated exploit verification. A dangerous API can often be detected syntactically. The harder problem is determining whether a real product path makes that sink reachable with untrusted input and whether the impact is real. In this case, the PoC confirmed arbitrary code execution during deserialization.

ZAST.AI promotes findings into reports only after successful PoC validation, which supports a zero-false-positive operating model and helps teams prioritize what is demonstrably real.

Full report: https://blog.zast.ai/vulnerability%20research/ai%20security/Insecure-Deserialization-in-Pycel/

CW: Cybersecurity Technical Analysis

WordPress kembali menghadapi tantangan keamanan kritis. Kali ini menyerang plugin "Really Simple Security" (CVE-2024-10924) yang memungkinkan bypass autentikasi 2FA.

Baca selengkapnya di sini: https://analis-siber-purwakarta.blogspot.com/2026/04/analisis-cve-2024-10924-really-simple-security.html

#Infosec #CyberSecurity #WordPress #Pentest #BlueTeam #AnalisSiber #WebSecurity

🔒 HIGH severity: aEnrich a+HRD (CVE-2026-6834) missing authorization flaw lets authenticated users read any database content via API. No patch yet — restrict API access & monitor for abuse. https://radar.offseq.com/threat/cve-2026-6834-cwe-862-missing-authorization-in-aen-34aab48f #OffSeq #Vulnerability #InfoSec #aEnrich

Warning: CVE-2025-40739 (CWEs: ['CWE-125']) found no CAPEC relationships.
Warning: CVE-2025-40741 (CWEs: ['CWE-121']) found no CAPEC relationships.

#SoftwareSecurity #MemorySafety #CWE #ADBE
2/2

Adobe’s 95% VaR is driven by CVE-2025-40739 and CVE-2025-40740. These are CWE-125 (Out-of-bounds Read) and CWE-121 (Stack-based Buffer Overflow) flaws. In a modern stack, these should be legacy ghosts.

Instead, they remain the primary drivers of execution mass. When combined with the P5 Execution vector of 1.44, it reveals that the Adobe consumer is still vulnerable to the most fundamental classes of memory corruption.

Artifacts:
1/2

Warning: CVE-2025-40739 (CWEs: ['CWE-125']) found no CAPEC relationships.
Warning: CVE-2025-40741 (CWEs: ['CWE-121']) found no CAPEC relationships.

#SoftwareSecurity #MemorySafety #CWE #ADBE
2/2

Adobe’s 95% VaR is driven by CVE-2025-40739 and CVE-2025-40740. These are CWE-125 (Out-of-bounds Read) and CWE-121 (Stack-based Buffer Overflow) flaws. In a modern stack, these should be legacy ghosts.

Instead, they remain the primary drivers of execution mass. When combined with the P5 Execution vector of 1.44, it reveals that the Adobe consumer is still vulnerable to the most fundamental classes of memory corruption.

Artifacts:
1/2