Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.

Threat Intelligence Database

Comprehensive database of the latest cyber threats affecting organizations worldwide. Filter and search to find specific threat intelligence relevant to your organization.

Pro Console Lifetime

Stop chasing alerts. Route them.

Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.

Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)

View Plans & Pricing

API access activates after upgrading in Console -> Billing.

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now

Filter Threats

Narrow down the results by type, severity, or affected countries

Search threats by title, CVE ID, or description. Maximum 100 characters.

Threat Intelligence

Click on any threat for detailed analysis and mitigation recommendations

CVE-2026-63175: CWE-613 Insufficient Session Expiration in Lookyloo PlaywrightCaptureCVE-2026-63175
0

Lookyloo PlaywrightCapture versions up to 1.40.2 suffer from insufficient session expiration due to mutable class-level variables used for capture-specific data. This flaw allows multiple capture objects within the same Python process to share sensitive state such as HTTP headers, cookies, credentials, and proxy settings. As a result, in multi-user or concurrent deployments, data from one capture session may leak into another, risking unauthorized access and data disclosure. The vulnerability is addressed by refactoring the code to use instance-level variables for isolation between captures.

Join the discussion
CVE-2026-55445: CWE-287: Improper Authentication in whyour qinglongCVE-2026-55445
0

Qinglong, a timed task management platform, has an authentication bypass vulnerability prior to version 2.20.1. The issue arises because the init guard middleware checks the /api/user/init endpoint but not the /open/user/init endpoint. Due to a rewrite rule that applies after authentication checks, an unauthenticated attacker can send a PUT request to /open/user/init to reset administrator credentials on an already initialized instance. This vulnerability is classified as improper authentication (CWE-287) and has a critical severity with a CVSS score of 9.3. The issue is fixed in version 2.20.1.

Join the discussion
CVE-2026-54458: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WWBN AVideoCVE-2026-54458
0

WWBN AVideo versions prior to 29.0 contain a stored DOM-based Cross-Site Scripting (XSS) vulnerability in the YPTSocket plugin. An unauthenticated attacker can exploit this flaw by sending crafted WebSocket connection parameters that are stored and broadcast to all connected clients, including administrators. This leads to arbitrary JavaScript execution in the context of the admin dashboard, enabling theft of cookies, CSRF tokens, and full administrative takeover. The vulnerability has been patched in version 29.0.

Join the discussion
CVE-2026-45313: CWE-284: Improper Access Control in sandboxie-plus SandboxieCVE-2026-45313
0

Sandboxie-Plus versions prior to 1.17.6 contain an improper access control vulnerability in the GuiServer component. This flaw allows a sandboxed process to supply thread and function pointer handles that are not validated, enabling execution of arbitrary code in an unsandboxed host process with SYSTEM privileges. The issue is fixed in version 1.17.6.

Join the discussion
CVE-2026-30623: n/aCVE-2026-30623
0

LiteLLM version 1.18.10 contains a remote code execution vulnerability in its MCP server creation functionality. The application accepts JSON configurations to add MCP servers, which include arbitrary command and argument values. These values are executed on the host system without validation, allowing attackers to execute arbitrary operating system commands. Exploitation results in remote code execution with the privileges of the LiteLLM process.

Join the discussion
CVE-2026-30618: n/aCVE-2026-30618
0

xszyou Fay 4.3.1 contains a remote code execution vulnerability in its MCP STDIO server management and command execution handling. A remote attacker can access the publicly exposed MCP management interface and configure an MCP STDIO server with attacker-controlled commands and parameters, resulting in execution of arbitrary commands on the server. Successful exploitation allows arbitrary command execution within the context of the Fay service.

Join the discussion
CVE-2025-65720: n/aCVE-2025-65720
0

An issue in Open Source GPT Researcher v3.3.7 allows attackers to execute arbitrary commands on a victim system via user interaction with a crafted HTML page.

Join the discussion
Daxin Returns: Stealthy Malware Resurfaces in Taiwan Alongside a New Backdoor
0

Backdoor.Daxin, a sophisticated China-linked kernel-mode rootkit first exposed in 2022, was discovered operating on a Taiwan manufacturing firm's network in 2026. The malware was found alongside Backdoor.Stupig, a previously unknown backdoor that uses a novel technique involving a Trojanized keyboard-layout DLL loaded by winlogon.exe, enabling command execution as System from the Windows logon screen without authentication. Both samples carry compile timestamps from early 2013, but the compromised host only began reporting telemetry in May 2026, suggesting a possible 13-year undetected intrusion. The victim was a Taiwan-based subsidiary of a multinational high-tech manufacturer. Daxin's defining characteristic is its ability to hijack legitimate TCP connections for command-and-control traffic, making it exceptionally difficult to detect through conventional network monitoring.

Join the discussion
OkoBot framework infection chain
0

In January 2026, researchers identified a sophisticated malware framework dubbed OkoBot that targets cryptocurrency users through a multi-stage infection chain. The campaign begins with TookPS PowerShell scripts delivered via ClickFix attacks or fake software on GitHub. An automated SSH bot deploys over 20 malicious modules including HDUtil launcher, browser extension injectors installing Rilide stealer, and specialized tools like SeedHunter for wallet seed phrase theft and OkoSpyware for window capture. The framework uses VMProtect obfuscation, UAC bypass techniques, and maintains persistence through RDP access and scheduled tasks. Victims span more than 25 countries with concentrations in Brazil, Vietnam, Canada, Mexico, and Turkey. Attribution suggests Russian-speaking threat actors based on geoblocking patterns and Russian language artifacts.

Join the discussion
June 2026 Infostealer Trend Report
0

During June 2026, multiple infostealer families including Remus, ACRStealer, LummaC2, and Vidar were distributed through SEO poisoning techniques, disguised as illegal software such as cracks and keygens. Attacks utilized EXE files (84.5%) and DLL side-loading (15.5%) methods, with distribution primarily through Mediafire, Mega, and cloud storage platforms. Microsoft Corporation was the most frequently impersonated entity. MacOS environments were targeted through ClickFix techniques and malicious Bash scripts, with one variant dynamically obtaining C2 addresses via Polygon smart contracts. Email-based campaigns distributed AgentTesla and DarkCloud through compressed attachments, with both variants exfiltrating data via SMTP. The stolen credentials pose significant risks for dark web trading and secondary attacks.

Join the discussion

Showing 1 to 10 of 11981 results

Page 1 of 1199
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses