critical - TrustStrike Labs

vulnerability

CVE-2026-26083 CVE-2026-44277

2026-05-13

Fortinet patches critical unauthenticated RCE flaws in FortiSandbox and FortiAuthenticator - identity and threat-detection products that protect everything else (CVE-2026-26083, CVE-2026-44277)

Fortinet patched two critical RCE flaws Tuesday. CVE-2026-44277 in FortiAuthenticator (Fortinet's IAM/MFA platform) lets unauthenticated attackers execute code via crafted requests. CVE-2026-26083 (CVSS 9.1) in FortiSandbox's web UI lets unauthenticated attackers run code via HTTP requests. Neither is confirmed exploited yet, but Fortinet products have a long exploitation history - CISA flagged FortiClient EMS as actively exploited in April. FortiSandbox is the threat-detection backbone for many Fortinet-centric SOCs; FortiAuthenticator gates MFA and SSO.

fortinet fortisandbox fortiauthenticator unauth-rce cvss-9-1 iam sandbox critical

Check: Inventory FortiAuthenticator and FortiSandbox versions. Confirm management UIs aren't internet-reachable. Check logs for unfamiliar admin sessions since early May.
Affected: FortiAuthenticator before 6.5.7, 6.6.9, 8.0.3. FortiSandbox 5.0.0-5.0.1, 4.4.0-4.4.8. FortiAuthenticator Cloud (FortiTrust Identity) is not affected.
Fix: Upgrade FortiAuthenticator to 6.5.7, 6.6.9, or 8.0.3. Upgrade FortiSandbox to 5.0.2+, 4.4.9+, or 5.0.6+ (Cloud). Restrict management UIs to trusted IPs.

vulnerability

CVE-2026-3854

2026-04-28

Critical GitHub flaw lets a single 'git push' run code remotely on the server - patched, but most self-hosted GitHub Enterprise instances haven't updated yet (CVE-2026-3854)

Researchers disclosed CVE-2026-3854, a critical GitHub Enterprise Server flaw that lets anyone with push access execute arbitrary commands on the GitHub server with a single git push. The bug is in how Enterprise Server handles repository hooks during push operations - a crafted commit message or filename bypasses the sanitization that normally prevents shell injection. GitHub patched it last week, but self-hosted instances need to apply the patch manually, and telemetry shows most haven't yet. Anyone with developer-level access to a vulnerable Enterprise Server can take over the entire instance, then pivot into every repository and CI/CD secret it hosts.

github-enterprise-server rce git-push supply-chain ci-cd self-hosted critical

Check: If you run a self-hosted GitHub Enterprise Server, apply the latest patch this week and review push activity from any low-privilege accounts since the patch was released.
Affected: Self-hosted GitHub Enterprise Server instances on versions before the April 2026 patch. The bug requires push access to any repository, which means every developer with commit rights is a potential entry point. CI/CD secrets, signing keys, and source code are exposed. GitHub.com (the SaaS product) is not affected.
Fix: Upgrade GitHub Enterprise Server to the patched release per GitHub's advisory. Until patched, restrict push access to trusted accounts and require code review on all pushes. Audit Enterprise Server logs for unusual git operations or shell processes spawning from the GitHub system user. Rotate any CI/CD secrets, signing keys, and webhook tokens stored on the server.

vulnerability

CVE-2026-40050

2026-04-21

Critical unauthenticated path traversal in CrowdStrike LogScale lets remote attackers read any file on the server (CVE-2026-40050, CVSS 9.8)

CrowdStrike disclosed CVE-2026-40050 on April 21, a critical unauthenticated path traversal in a specific cluster API endpoint of self-hosted LogScale (formerly Humio). CVSS 9.8. A remote attacker who can reach the endpoint can read arbitrary files from disk - including config files, certificates, embedded credentials, and the very logs the platform was deployed to protect. CrowdStrike found the bug through internal product testing and applied network-layer blocks across all SaaS clusters on April 7. Self-hosted customers must patch themselves. There is no evidence of in-the-wild exploitation yet.

crowdstrike logscale humio path-traversal unauthenticated siem critical

Check: Check every self-hosted CrowdStrike LogScale instance today and patch immediately - and verify the cluster API endpoint is not reachable from anywhere it shouldn't be.
Affected: CrowdStrike LogScale Self-Hosted GA versions 1.224.0 through 1.234.0 inclusive, plus LTS versions 1.228.0 and 1.228.1. CVE-2026-40050, CVSS 9.8 (CWE-22 path traversal plus CWE-306 missing authentication). LogScale SaaS deployments and Next-Gen SIEM customers are not exposed - SaaS was already mitigated April 7 at the network layer.
Fix: Upgrade to LogScale Self-Hosted 1.235.1+ (GA) or 1.228.2 (LTS). Restrict the cluster API endpoint to internal management networks - it should never be internet-facing or general-VLAN reachable. Audit web-access logs for traversal patterns (..%2F, ../, encoded variants). Rotate any credentials, certificates, or tokens that may have been on disk on the LogScale host during the vulnerable window.