Gogs Authenticated RCE via git rebase --exec Argument Injection (Unpatched)

Gogs Authenticated RCE via git rebase –exec Argument Injection (Unpatched)

Rapid7’s Jonah Burgess has disclosed a critical (CVSS 9.4) authenticated argument-injection RCE in the self-hosted Gogs Git server. Any authenticated user can create a branch named “–exec=“, open a pull request against a repository where “Rebase before merging” is enabled, and have Gogs run their command on the server when the merge fires. No admin rights required, no CVE assigned, no patch shipped — the maintainer was notified on 17 March 2026 and Rapid7 disclosed publicly on 28 May after two and a half months of silence. Roughly 1,141 internet-facing Gogs instances are exposed; a Metasploit module ships with the disclosure.

Writing Sync, Popping Cron: A Novel SQLite-Injection-to-Cron RCE on Synology BeeStation (CVE-2024-50629/50630/50631)

Writing Sync, Popping Cron: A Novel SQLite-Injection-to-Cron RCE on Synology BeeStation (CVE-2024-50629/50630/50631)

A deep technical write-up of the Synology BeeStation pre-auth-to-RCE chain disclosed by DEVCORE at Pwn2Own Ireland 2024 (CVE-2024-50629 CRLF injection, CVE-2024-50630 auth bypass via webapi-to-syncd domain-socket trust, CVE-2024-50631 SQL injection in update_settings) plus an N-day variant by Kiddo that swaps DEVCORE’s PHP-based RCE for a novel “ATTACH DATABASE” primitive against “/etc/cron.d/pwn.task”, exploiting cron’s line-skip tolerance to embed a working reverse-shell crontab inside an otherwise-binary SQLite file.

Animated terminal demo of the FreeBSD setcred CVE-2026-45250 LPE exploit landing a root shell

Calif’s AI Audit of FreeBSD: 15 Kernel Bugs (3 RCEs, 5 LPEs, 1 bhyve Escape) and Three Public CVE Writeups

Calif’s AI-assisted security team published a write-up of their FreeBSD kernel engagement: “15 bugs total” — 3 RCEs, 5 LPEs, 1 bhyve guest-to-host escape, plus memory disclosures and DoS — reported privately to FreeBSD with public PoCs released for three: CVE-2026-45250 (setcred sizeof confusion → stack overflow), CVE-2026-45253 (ptrace PT_SC_REMOTE missing bounds check → sysent OOB), and CVE-2026-45251 (procdesc UAF → arbitrary kernel-pointer writes via TAILQ_REMOVE on stale pd_selinfo). The exploits and writeups were generated by AI (OpenAI / Anthropic) and verified by humans before release. The remaining twelve bugs stay private until FreeBSD ships fixes.

CVE-2025-61622: PyFory Insecure Pickle Deserialization to RCE

CVE-2025-61622: PyFory Insecure Pickle Deserialization to Remote Code Execution

CVE-2025-61622 is an unauthenticated remote code execution in PyFory (formerly PyFury) 0.12.0–0.12.2 reachable through the library’s fallback path for unregistered types: “handle_unsupported_read()” instantiates a bare “pickle.Unpickler” with no “find_class” override and calls “.load()” on the attacker’s buffer, executing whatever “__reduce__” tuple they crafted. The attacker doesn’t even need PyFory installed — a stock “cloudpickle” payload pushed over a TCP socket is enough. Fixed in 0.12.3 by removing the pickle fallback entirely.

Visual Studio extension project template selection screen

Visual Studio Extensions Revisited: Building, Publishing, and Hunting Malicious VSIXs

MDSec returns to the Visual Studio extension ecosystem three years after their VS Code work. A modern “VisualStudio.Extensibility” extension that fetches and runs an arbitrary .NET assembly via reflection — built from the stock template, published on the Marketplace under the “MSAzure” publisher with no security checks — takes a renamed “Microsoft” publisher around an hour to land. The second half of the post is a five-stage triage pipeline (Acquisition → Unpacking → Decompilation → LLM Triage → Agent Investigation) over the 8,566 analysable VSIX packages currently on the Marketplace, surfacing a backdoor-shaped “vs-publisher-1477920/FVsEx” extension that exfiltrates host info to “qweq.xyz” and dispatches commands to “cmd.exe”.

CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED)

CVE-2026-20182: Unauthenticated vHub Bypass in the Cisco Catalyst SD-WAN Controller

CVE-2026-20182 (CVSS 10.0, CWE-287) is a critical authentication bypass in the Cisco Catalyst SD-WAN Controller’s vdaemon DTLS service (UDP 12346). By presenting “device_type = 2” (vHub) during the CHALLENGE_ACK phase, an unauthenticated remote attacker hits a fall-through in “vbond_proc_challenge_ack()” that unconditionally sets “authenticated = 1” — from there it’s a short hop to “MSG_VMANAGE_TO_PEER” SSH-key injection into “/home/vmanage-admin/.ssh/authorized_keys” and full NETCONF control of the SD-WAN fabric. Discovered by Rapid7’s Stephen Fewer and Jonah Burgess; a Metasploit module ships with this post. Cisco has fixed it — upgrade now.

Header image — CVE-2024-27398 Linux Bluetooth SCO UAF article

CVE-2024-27398: Exploiting a Linux Bluetooth SCO Use-After-Free with SMEP Bypass

A full walkthrough of CVE-2024-27398, a race-induced use-after-free in the Linux 6.8 Bluetooth SCO subsystem. The exploit races two connect() threads on the same SCO socket to orphan a delayed-work timer, reclaims the freed sock with add_key(), forges a valid DEBUG_SPINLOCK pattern in the spray payload, and uses an xchg eax, esp ; ret gadget to pivot the kernel stack into userspace — bypassing SMEP with pure ROP and overwriting modprobe_path to get root.

Screenshot of the pb2au fake DMG-style installer used by the proof of concept

CVE-2026-28910: Breaking the macOS App Sandbox, TCC and Code Signing with Archive Utility

Mysk research details CVE-2026-28910 — a chain of three macOS design flaws that turns the built-in Archive Utility plus a single drag-and-drop into a sandbox-escaping, TCC-bypassing, app-hijacking primitive. The pb2au proof of concept compromises Notes, Messages, Mail, Safari, WhatsApp, Telegram, Signal Desktop and 1Password in under 30 seconds with no root, no password, and no special permissions. Patched in macOS 26.4 (March 2026); all earlier macOS Tahoe builds remained exposed for ~5 months.

NASM CVE-2026-6068 attack demo (heap UAF to persistent RCE)

CVE-2026-6068 — NASM Heap UAF Turns Into Persistent RCE Through a Dependency-File Symlink Trick

A heap use-after-free in NASM’s response-file parser (CVE-2026-6068) sounds boring — until the dangling pointer is reused as a filename for fopen(). Project SEKAI’s breakingbad turns it into a deterministic, supply-chain-style persistent RCE that overwrites the victim’s ~/.bashrc through a 120-character heap-spray label, a shipped symlink, and the unescaped shell metacharacters in NASM’s Makefile-style dependency output. No ASLR, NX, PIE, RELRO or stack-canary bypass needed. Still unpatched at disclosure.

Diagram explaining the PHP object deserialization flow in Roundcube CVE-2025-49113

Roundcube CVE-2025-49113: Authenticated PHP Object Deserialization to RCE in Open-Source Webmail

CVE-2025-49113 is a critical authenticated remote-code-execution flaw in Roundcube webmail — the default in cPanel, Plesk, and many hosting stacks — caused by insufficient validation of the _from upload parameter that lets attackers inject malicious PHP-serialized objects into session storage. The bug went undetected for nearly a decade and reportedly exposes more than 53 million hosts across all Roundcube 1.1.0–1.6.10 builds.