Threat Intelligence Database

YARA-X versions 1.18.0 and 1.19.0 have been released, introducing several improvements and bug fixes. The 1.18.0 release includes three improvements and two bug fixes, notably adding a new command-line option to limit CPU usage. The 1.19.0 release adds four improvements and two bug fixes. There is no indication of a security vulnerability or exploit associated with these releases.

A flaw has been found in arc53 DocsGPT up to 0.18.0. The affected element is the function encrypt_credentials of the file application/security/encryption.py of the component Credential Storage. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.

KRVTZ-NET IDS alerts for 2026-06-28

A vulnerability was detected in skypilot-org skypilot up to 0.12.0. Impacted is the function username.encode of the file sky/users/server.py of the component User ID Handler. The manipulation results in use of weak hash. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure.

A use-after-free vulnerability exists in Zephyr's BSD-sockets getaddrinfo() implementation due to improper handling of asynchronous DNS resolver queries. This flaw allows a stale callback to access a stack-allocated state object after it has gone out of scope, potentially leading to memory corruption or denial of service. The vulnerability affects Zephyr versions 4.0.0 through 4.4.0. The issue arises when a DNS query times out and is retried without cancelling the previous query, enabling an attacker to influence the stale callback via spoofed or replayed network responses.

CVE-2026-10644 is a medium severity vulnerability in the Microchip SERCOM-G1 UART driver of the Zephyr project affecting the PIC32CM-JH SoC family. It involves an out-of-bounds write in the asynchronous DMA receive path when a one-byte receive buffer is used with async UART enabled. This causes a single-byte memory corruption adjacent to the RX buffer, potentially leading to a crash or denial of service. The issue exists in Zephyr versions 4.4.0 up to but not including 4.5.0. The fix changes the handling of one-byte buffers to avoid DMA and properly reads the first byte with the CPU.

CVE-2026-10593 is a medium severity vulnerability in Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client versions 4.3.0 through before 4.5.0. The flaw involves mishandling of peer-supplied ASE state notifications, leading to a NULL pointer dereference and crash (denial of service) when a remote ASCS server sends a specific GATT notification during a permitted state transition. The issue arises because the handler writes attacker-controlled QoS fields through a pointer that can be NULL under certain conditions. The defect was fixed by changing the QoS storage to a always-valid embedded structure, eliminating the NULL dereference.

CVE-2026-58053 is a critical vulnerability in Gitea's act_runner component when using the Docker backend via act 0.262.0. The issue arises because the workflow's container.options string is passed directly to the Docker job container's HostConfig, allowing certain Docker options like --pid=host, --cap-add, and --security-opt to remain enabled even if privileged mode is disabled. This improper privilege management enables a user with workflow execution rights to create a container with host namespaces and elevated capabilities, potentially escaping to the host as root.

A cluster of 50 Chrome extensions, all sharing the same codebase, backend infrastructure, Firebase project, and a hardcoded API key, has been identified. These extensions, collectively installed around 15,500 times, form a white-label WhatsApp CRM platform. The platform replaces WhatsApp Web's Content Security Policy (CSP), maintains persistent communication via Server-Sent Events (SSE) and Firebase Cloud Messaging, and includes voice transcription and backend backup APIs. Multiple privacy policies exist with inconsistent descriptions of the platform and omit several backend communication mechanisms. This raises privacy and security concerns due to centralized control and potential misuse of user data.

ThreatFox IOCs for 2026-06-27