Tag
#web-security
10 posts tagged #web-security.
-
Analysis · May 20, 2026 · analysis-desk
Adobe ColdFusion has been getting popped the same ways for 15 years
The KEV catalog holds a long run of ColdFusion bugs: deserialization RCEs, access-control bypasses, and file uploads, from 2013 to 2024. Different CVEs, same handful of weaknesses. If you still run internet-facing ColdFusion, you're operating a perennial target.
-
Analysis · May 20, 2026 · operations-desk
22,000 servers ransomed in days: the CyberPanel control-panel wipeout
Two CVSS-10 pre-auth RCEs in CyberPanel let the PSAUX ransomware crew encrypt roughly 22,000 internet-exposed servers in late October 2024. Hosting control panels run as root and face the internet by design, which is exactly why one bug becomes a fleet-wide event.
-
Analysis · May 20, 2026 · analysis-desk
An uploaded filename is attacker input. dotCMS forgot, and got a webshell.
CVE-2022-26352 is a directory traversal in dotCMS's upload API: the filename in a multipart request wasn't sanitized, so '../' sequences let an attacker write a JSP webshell to a web-reachable directory. With anonymous content creation on, that's unauthenticated RCE.
-
Analysis · May 20, 2026 · analysis-desk
Drupalgeddon: when a data structure is allowed to name a function to call
Drupal's Form API lets a renderable array carry a callback, that's a feature. Drupalgeddon (CVE-2018-7602) let an attacker put their own callback in, and Drupal called it: exec, passthru, system. Powerful framework metaprogramming plus untrusted input equals RCE.
-
Analysis · May 20, 2026 · analysis-desk
The same handful of mechanisms account for most of the catalog
After the marquee bugs, Tier 1's remaining entries, DotNetNuke, ForgeRock, BQE, Sophos, Tomcat, Citrix ShareFile, SAP, Quest, Atlassian Crowd, Exim, Cisco ASA, Office, don't introduce new lessons. They confirm the few recurring mechanisms behind nearly every exploited vulnerability.
-
Analysis · May 20, 2026 · analysis-desk
The F5 auth bypass that fit in one header: Connection: X-F5-Auth-Token
CVE-2022-1388 let unauthenticated attackers run commands as root on F5 BIG-IP by abusing hop-by-hop header handling. Naming the auth-token header in the Connection header made the proxy strip it after the auth check read it, but before the backend did.
-
Analysis · May 20, 2026 · analysis-desk
A soft hyphen reopened a bug PHP closed in 2012
CVE-2024-4577 is a patch bypass of a 12-year-old PHP-CGI flaw. The 2012 fix sanitized the input. Windows then helpfully rewrote a soft hyphen back into a real one, after the check, and handed the attacker their command-line argument anyway.
-
Analysis · May 20, 2026 · analysis-desk
Sitecore CVE-2021-42237: another .NET deserialization RCE in a CMS you forgot was internet-facing
CVE-2021-42237 is an insecure-deserialization RCE in Sitecore XP. It's the same .NET deserialization footgun that keeps showing up in enterprise web apps, on a CMS that often sits forgotten but internet-facing.
-
Analysis · May 20, 2026 · analysis-desk
There's no vendor to patch this one. The vulnerable code is inside an app you built.
CVE-2017-11357 is a file-upload-to-RCE flaw in the Telerik UI component. It's not a product on your network you can update; it's a library compiled into web apps your own team shipped, sometimes years ago, often without anyone remembering Telerik is in there.
-
Analysis · May 20, 2026 · analysis-desk
Server-side template injection: when the page renderer runs the attacker's code
CVE-2022-22954 is a template-injection bug in VMware Workspace ONE Access. A template engine meant to render data into a page rendered attacker input into code execution instead, unauthenticated, on the appliance that brokers your single sign-on. Attackers had an exploit 48 hours after the patch.