Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.

Threat Intelligence Database

Comprehensive database of the latest cyber threats affecting organizations worldwide. Filter and search to find specific threat intelligence relevant to your organization.

Pro Console Lifetime

Stop chasing alerts. Route them.

Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.

Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)

View Plans & Pricing

API access activates after upgrading in Console -> Billing.

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now

Filter Threats

Narrow down the results by type, severity, or affected countries

Search threats by title, CVE ID, or description. Maximum 100 characters.

Threat Intelligence

Click on any threat for detailed analysis and mitigation recommendations

CVE-2026-63175: CWE-613 Insufficient Session Expiration in Lookyloo PlaywrightCaptureCVE-2026-63175
0

PlaywrightCapture stored capture-specific configuration and runtime data as mutable class-level variables rather than instance-level variables. Consequently, multiple Capture objects running within the same Python process could share state, including HTTP headers, cookies, browser storage, HTTP credentials, proxy configuration, user-agent settings, geolocation information, and captured request data. In a multi-user or concurrent deployment, information supplied during one capture could therefore persist and be reused by a subsequent or parallel capture. This could result in the disclosure of authentication cookies, credentials, browser storage, or captured request data belonging to another user. It could also cause requests to be performed with another capture's authentication context, headers, or proxy configuration, potentially enabling unauthorized access to remote resources or interference with other capture operations. The vulnerability is resolved by initializing all capture-specific settings and request data as instance variables in the Capture constructor, ensuring that state is isolated between capture operations.

Join the discussion
CVE-2026-55445: CWE-287: Improper Authentication in whyour qinglongCVE-2026-55445
0

Qinglong is a timed task management platform supporting Python3, JavaScript, Shell, and Typescript. Prior to 2.20.1, the init guard middleware in back/loaders/express.ts checks /api/user/init but not /open/user/init, while rewrite('/open/*', '/api/$1') rewrites the whitelisted /open/* path after JWT authentication and the guard have passed; an unauthenticated attacker can send PUT /open/user/init to reset administrator credentials on an initialized instance. This issue is fixed in 2.20.1.

Join the discussion
CVE-2026-54458: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WWBN AVideoCVE-2026-54458
0

WWBN AVideo is an open source video platform. Versions prior to 29.0 contain a stored DOM Cross-Site Scripting vulnerability in the YPTSocket plugin. Any unauthenticated remote attacker can execute arbitrary JavaScript in the authenticated origin of every administrator currently viewing a page that renders the YPTSocket online-users debug panel. plugin/YPTSocket/getWebSocket.json.php issues a signed WebSocket token to any anonymous caller, and MessageSQLiteV2::onOpen at plugin/YPTSocket/MessageSQLiteV2.php lines 91 and 110 reads the attacker-controlled webSocketSelfURI and page_title query parameters from the WebSocket connection URL with no validation. Both values persist into the in-memory SQLite connections table and broadcast inside the users_id_online array sent to every connected client; on the client, plugin/YPTSocket/script.js::updateSocketUserCard interpolates the broadcast page_title into an HTML template literal that is passed to jQuery $.append(html), which parses attacker bytes into live DOM nodes including <img> with inline event handlers. Successful attackers can can read non-HttpOnly cookies and the CSRF token rendered into the admin dashboard, issue authenticated requests to any admin-only endpoint, exfiltrate the admin dashboard DOM, and chain into any admin-context mutation. When the victim is an AVideo administrator, the attacker turns a single anonymous WebSocket connection into full administrative takeover via the admin's own session. This issue has been patched by https://github.com/WWBN/AVideo/commit/8be71e53ccbe9b84b30870db386fb4d2b11e1c16.

Join the discussion
CVE-2026-45313: CWE-284: Improper Access Control in sandboxie-plus SandboxieCVE-2026-45313
0

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. Prior to 1.17.6, GuiServer::WndHookRegisterSlave in Sandboxie/core/svc/GuiServer.cpp stores attacker-supplied hthread and hproc fields from a GUI_WND_HOOK_REGISTER request without validating that the thread belongs to the sandboxed process or that the function pointer is in the caller address space, and GuiServer::WndHookNotifySlave then calls OpenThread(THREAD_SET_CONTEXT, FALSE, whk->hthread) and QueueUserAPC((PAPCFUNC)whk->hproc, hThread, (ULONG_PTR)req->threadid) as SYSTEM, allowing a sandboxed process to execute arbitrary code in an unsandboxed host process. This issue is fixed in version 1.17.6.

Join the discussion
CVE-2026-30623: n/aCVE-2026-30623
0

LiteLLM 1.18.10 contains a remote code execution vulnerability in its MCP server creation functionality. The application allows users to add MCP servers via a JSON configuration specifying arbitrary command and args values. LiteLLM executes these values on the host without validation, enabling attackers to run arbitrary operating system commands. Successful exploitation may result in remote code execution with the privileges of the LiteLLM process.

Join the discussion
CVE-2026-30618: n/aCVE-2026-30618
0

xszyou Fay 4.3.1 contains a remote code execution vulnerability in its MCP STDIO server management and command execution handling. A remote attacker can access the publicly exposed MCP management interface and configure an MCP STDIO server with attacker-controlled commands and parameters, resulting in execution of arbitrary commands on the server. Successful exploitation allows arbitrary command execution within the context of the Fay service.

Join the discussion
CVE-2025-65720: n/aCVE-2025-65720
0

An issue in Open Source GPT Researcher v3.3.7 allows attackers to execute arbitrary commands on a victim system via user interaction with a crafted HTML page.

Join the discussion
Daxin Returns: Stealthy Malware Resurfaces in Taiwan Alongside a New Backdoor
0

Backdoor.Daxin, a sophisticated China-linked kernel-mode rootkit first exposed in 2022, was discovered operating on a Taiwan manufacturing firm's network in 2026. The malware was found alongside Backdoor.Stupig, a previously unknown backdoor that uses a novel technique involving a Trojanized keyboard-layout DLL loaded by winlogon.exe, enabling command execution as System from the Windows logon screen without authentication. Both samples carry compile timestamps from early 2013, but the compromised host only began reporting telemetry in May 2026, suggesting a possible 13-year undetected intrusion. The victim was a Taiwan-based subsidiary of a multinational high-tech manufacturer. Daxin's defining characteristic is its ability to hijack legitimate TCP connections for command-and-control traffic, making it exceptionally difficult to detect through conventional network monitoring.

Join the discussion
OkoBot framework infection chain
0

In January 2026, researchers identified a sophisticated malware framework dubbed OkoBot that targets cryptocurrency users through a multi-stage infection chain. The campaign begins with TookPS PowerShell scripts delivered via ClickFix attacks or fake software on GitHub. An automated SSH bot deploys over 20 malicious modules including HDUtil launcher, browser extension injectors installing Rilide stealer, and specialized tools like SeedHunter for wallet seed phrase theft and OkoSpyware for window capture. The framework uses VMProtect obfuscation, UAC bypass techniques, and maintains persistence through RDP access and scheduled tasks. Victims span more than 25 countries with concentrations in Brazil, Vietnam, Canada, Mexico, and Turkey. Attribution suggests Russian-speaking threat actors based on geoblocking patterns and Russian language artifacts.

Join the discussion
June 2026 Infostealer Trend Report
0

During June 2026, multiple infostealer families including Remus, ACRStealer, LummaC2, and Vidar were distributed through SEO poisoning techniques, disguised as illegal software such as cracks and keygens. Attacks utilized EXE files (84.5%) and DLL side-loading (15.5%) methods, with distribution primarily through Mediafire, Mega, and cloud storage platforms. Microsoft Corporation was the most frequently impersonated entity. MacOS environments were targeted through ClickFix techniques and malicious Bash scripts, with one variant dynamically obtaining C2 addresses via Polygon smart contracts. Email-based campaigns distributed AgentTesla and DarkCloud through compressed attachments, with both variants exfiltrating data via SMTP. The stolen credentials pose significant risks for dark web trading and secondary attacks.

Join the discussion

Showing 1 to 10 of 11981 results

Page 1 of 1199
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses