core-jmp

Script output showing character-by-character session ID extraction via SSRF

CVE-2026-41873: Apache Pony Mail OAuth SSRF + Lua CRLF Smuggling = Unauthenticated Account Takeover

May 26, 2026

by oxfemale Exploit Development Security Threat Intelligence WEB

STAR Labs’ advisory on CVE-2026-41873 in Apache Pony Mail by Li Jiantao and Tevel Sho (disclosed 28 April 2026). Two independent bugs reach the same outcome — full admin takeover — without any authentication. In the modern Foal (Python) build, an attacker-supplied “oauth_token” URL drives a blind SSRF against the local Elasticsearch SQL endpoint, leaking the admin session cookie character-by-character (CVSS 9.1). In the legacy Lua build (now retired, no patch), a single unescaped query parameter in “email.lua” lets the attacker inject CRLF bytes into the Elasticsearch HTTP request and smuggle a second request that creates an admin account outright.

Diagram explaining the PHP object deserialization flow in Roundcube CVE-2025-49113

Roundcube CVE-2025-49113: Authenticated PHP Object Deserialization to RCE in Open-Source Webmail

May 23, 2026

by oxfemale Application Security Vulnerability Analysis WEB

CVE-2025-49113 is a critical authenticated remote-code-execution flaw in Roundcube webmail — the default in cPanel, Plesk, and many hosting stacks — caused by insufficient validation of the _from upload parameter that lets attackers inject malicious PHP-serialized objects into session storage. The bug went undetected for nearly a decade and reportedly exposes more than 53 million hosts across all Roundcube 1.1.0–1.6.10 builds.

What You Need to Know: Windows Admin Center Remote Privilege Escalation (CVE-2026-26119)

March 23, 2026

by oxfemale Escalation Privilege WEB windows Windows Admin Center

CVE-2026-26119 is a high-severity privilege-escalation flaw in Windows Admin Center caused by improper authentication. Attackers with low-privileged access could gain admin rights and potentially compromise entire domains.

Exploiting a PHP Object Injection in Profile Builder Pro in the era of AI

March 20, 2026

by oxfemale AI Agents Deserialization exploitation Network PHP RCE Reverse Engineering WEB Wordpress

The article explains how researchers exploited an unauthenticated PHP Object Injection in the WordPress plugin Profile Builder Pro, showing how AI tools can accelerate vulnerability discovery and exploit development in modern web applications.

Vulnerabilities in Broadcom VMware Aria Operations: Privilege Escalation (CVE-2025-41245 / CVE-2026-22721)

March 18, 2026

by oxfemale Broadcom Credential Attacks firmware Network VMware WEB

The article examines vulnerabilities in VMware Aria Operations that enable credential disclosure and privilege escalation. Attackers with limited access can escalate privileges and gain administrative control over the infrastructure monitoring platform.

core-jmp

Posts in category: WEB

CVE-2026-41873: Apache Pony Mail OAuth SSRF + Lua CRLF Smuggling = Unauthenticated Account Takeover

Roundcube CVE-2025-49113: Authenticated PHP Object Deserialization to RCE in Open-Source Webmail

What You Need to Know: Windows Admin Center Remote Privilege Escalation (CVE-2026-26119)

Exploiting a PHP Object Injection in Profile Builder Pro in the era of AI

Recent Posts

Archives

Categories