#Vulnerability

CVE-2025-24964 lets a malicious web page reach RCE via Vitest's WebSocket API

Vitest's UI/api WebSocket skips Origin checks (CSWSH), so a malicious page can call saveTestFile and rerun to run code on your dev machine. Fixed in 1.6.1 / 2.1.9 / 3.0.5.

CVE-2025-48595: Android Framework EoP, exploited, in CISA KEV (June 5 deadline)

Android 14–16/16-qpr2 patch CVE-2025-48595, a Framework integer-overflow EoP Google flags as under limited, targeted exploitation. In CISA KEV with a 2026-06-05 deadline. Includes the 06-01 vs 06-05 patch-level split.

Request smuggling vs request splitting in Spring Boot: what to check for each

Two CRLF-adjacent bugs, two different checks. Smuggling is a proxy↔Tomcat HTTP/1.1 framing mismatch (tomcat-embed-core version, CVE-2026-24880); splitting is CRLF in sendRedirect/setHeader/RestTemplate. With a grep checklist.

HTTP/2 Bomb: 5,700x Envoy, 4,000x Apache amplification via HPACK + flow control

100Mbps to 32GB via HPACK + flow control stall. Envoy 5,700:1, Apache 4,000:1. Patch status: nginx 1.29.8, mod_h2 v2.0.41, Envoy 1.35–1.38, IIS/Pingora unpatched.

Microsoft Defender RedSun & UnDefend: actively exploited CVEs now in CISA KEV

RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) are confirmed exploited and in CISA KEV. A patched Windows isn't enough: how to check your Defender engine 1.1.26040.8 / platform 4.18.26040.7.

KnowledgeDeliver CVE-2026-5426: shared machineKey, ViewState RCE, Cobalt Strike

CVE-2026-5426 zero-day: KnowledgeDeliver's shared ASP.NET machineKey → ViewState RCE → Godzilla in memory → Cobalt Strike via JS tampering. Hunting starts at Event ID 1316.

nginx CVE-2026-8711 (njs) and CVE-2026-9256 (rewrite) after Rift

After Rift, two more nginx CVEs landed in late May 2026: njs js_fetch_proxy heap overflow CVE-2026-8711 and a second rewrite-module heap overflow CVE-2026-9256. Both pre-auth, CVSS v4.0 9.2, config-specific. Concrete grep checks and patch paths.

YellowKey CVE-2026-45585 mitigation: WinRE autofstx fix, TPM+PIN, no patch yet

Microsoft assigned CVE-2026-45585 to YellowKey: strip autofstx.exe from WinRE BootExecute and move TPM-only BitLocker to TPM+PIN. No patch ETA; Chaotic Eclipse claims a TPM+PIN bypass PoC.

MiniPlasma SYSTEM LPE on patched Windows 11: cldflt.sys CVE-2020-17103 reappears

Chaotic Eclipse's MiniPlasma takes SYSTEM on fully patched Windows 11 May 2026 by re-triggering CVE-2020-17103 in cldflt.sys, the same bug James Forshaw reported in 2020 and Microsoft supposedly fixed that December. Will Dormann confirmed the PoC works; the latest Insider Canary blocks it. No new CVE assigned yet, and the regression sits next to the actively exploited CVE-2025-62221 in the same driver.

YellowKey BitLocker bypass via WinRE opens encrypted drives with a USB stick, GreenPlasma CTFMON LPE drops the same day, Chaotic Eclipse calls it a backdoor

Chaotic Eclipse released YellowKey and GreenPlasma PoCs one day after May 2026 Patch Tuesday. A USB-borne FsTx folder plus a Ctrl-key reboot drops cmd.exe inside WinRE on a BitLocker-protected machine. Covers WinRE-only behavior, the CTFMON SYSTEM elevation path, the RedSun silent-patch dispute, and what defenders can actually do while unpatched.

OpenClaw Claw Chain: 4 CVEs from OpenShell TOCTOU to MCP loopback owner spoof

What to patch, rotate, and grep after OpenClaw 2026.4.22. Walks CVE-2026-44112/44113/44115/44118 as one chain on agent runtime, with detection log fields and 24h/1w response steps.

Ollama CVE-2026-7482: crafted GGUF leaks heap memory from exposed API servers

Out-of-bounds read in Ollama's GGUF loader before 0.17.1. If your Ollama API is network-accessible, a crafted model file can exfiltrate env vars, API keys, system prompts, and conversation fragments from process memory.