unauthenticated - TrustStrike Labs

vulnerability

CVE-2026-24898 CVE-2026-24908 CVE-2026-23627 CVE-2026-24487

2026-04-29

AI security tool finds 38 previously unknown bugs in OpenEMR, the open-source health records system used by 100,000 healthcare providers - two of them rated maximum severity

Aisle, an AI-driven application security firm, ran its analyzer over OpenEMR's source code and found 38 previously unknown vulnerabilities, including two with maximum severity (CVSS 10.0). OpenEMR is the open-source electronic health records system used by 100,000 healthcare providers serving 200 million patients. The two critical bugs let attackers reach into patient databases without logging in: CVE-2026-24898 lets any unauthenticated visitor receive the medical practice's API tokens by sending a single POST request, and CVE-2026-24908 is a SQL injection in the patient REST API. OpenEMR has now patched all 38.

openemr aisle ai-security healthcare ehr sql-injection unauthenticated 100k-providers 200m-patients hipaa

Check: If your organization runs OpenEMR, upgrade to the latest patched build today and audit access logs for unauthenticated POST requests to MedEx recall/reminder endpoints.
Affected: OpenEMR deployments before the April 2026 security update. Particularly acute for any internet-reachable instance because CVE-2026-24898 is unauthenticated. The 100,000 OpenEMR healthcare providers are typically smaller US clinics and under-resourced settings worldwide - the segments least likely to have a fast patching process.
Fix: Upgrade OpenEMR to the latest 8.x patched release. Audit application logs for any POST to the MedEx recall/reminder endpoint and for unusual _sort parameter values in the patient REST API - those are the exploit signatures. Restrict OpenEMR's admin and API endpoints to internal management networks. Rotate API tokens issued before the patch was applied since they may have been exposed via CVE-2026-24898.

vulnerability

CVE-2026-40050

2026-04-21

Critical unauthenticated path traversal in CrowdStrike LogScale lets remote attackers read any file on the server (CVE-2026-40050, CVSS 9.8)

CrowdStrike disclosed CVE-2026-40050 on April 21, a critical unauthenticated path traversal in a specific cluster API endpoint of self-hosted LogScale (formerly Humio). CVSS 9.8. A remote attacker who can reach the endpoint can read arbitrary files from disk - including config files, certificates, embedded credentials, and the very logs the platform was deployed to protect. CrowdStrike found the bug through internal product testing and applied network-layer blocks across all SaaS clusters on April 7. Self-hosted customers must patch themselves. There is no evidence of in-the-wild exploitation yet.

crowdstrike logscale humio path-traversal unauthenticated siem critical

Check: Check every self-hosted CrowdStrike LogScale instance today and patch immediately - and verify the cluster API endpoint is not reachable from anywhere it shouldn't be.
Affected: CrowdStrike LogScale Self-Hosted GA versions 1.224.0 through 1.234.0 inclusive, plus LTS versions 1.228.0 and 1.228.1. CVE-2026-40050, CVSS 9.8 (CWE-22 path traversal plus CWE-306 missing authentication). LogScale SaaS deployments and Next-Gen SIEM customers are not exposed - SaaS was already mitigated April 7 at the network layer.
Fix: Upgrade to LogScale Self-Hosted 1.235.1+ (GA) or 1.228.2 (LTS). Restrict the cluster API endpoint to internal management networks - it should never be internet-facing or general-VLAN reachable. Audit web-access logs for traversal patterns (..%2F, ../, encoded variants). Rotate any credentials, certificates, or tokens that may have been on disk on the LogScale host during the vulnerable window.

vulnerability

CVE-2026-39808

2026-04-17

Fortinet FortiSandbox unauthenticated RCE (CVE-2026-39808) has public PoC - day-after recovery from April 17

Day-after recovery: a PoC exploit for a critical vulnerability in Fortinet's FortiSandbox product has been publicly available since April 17. CVE-2026-39808 allows an unauthenticated attacker to execute arbitrary code on affected appliances via the web management interface. FortiSandbox is Fortinet's network-based malware analysis product used to inspect suspicious files before they reach endpoints. Because it sits in the malware analysis path, a compromised FortiSandbox gives attackers visibility into every suspicious file your environment has flagged, including real phishing attempts and incident samples. The PoC release doesn't indicate confirmed in-the-wild exploitation yet, but based on recent patterns the window between public PoC and mass scanning is typically measured in hours. CISA has not yet added this to KEV.

fortinet fortisandbox rce poc unauthenticated day-after-recovery

Check: If your organization uses Fortinet FortiSandbox, apply Fortinet's security update immediately. Treat as priority-1 even without confirmed in-the-wild exploitation.
Affected: Fortinet FortiSandbox appliances running unpatched firmware. Check Fortinet's PSIRT advisory for CVE-2026-39808 for exact affected firmware versions and upgrade paths for your model.
Fix: Apply Fortinet's security update from the official PSIRT advisory. If patching is delayed, restrict network access to the FortiSandbox management interface to trusted admin IPs only - do not expose the management interface to the internet. Review FortiSandbox access logs for unusual HTTP requests to the management interface over the past 30 days.

vulnerability

2026-04-08

Ninja Forms WordPress plugin allows unauthenticated file upload leading to remote code execution

A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows attackers to upload arbitrary files - including PHP web shells - without any authentication. Over 800,000 WordPress sites use Ninja Forms, and the File Uploads extension is one of its most popular premium add-ons. Successful exploitation gives an attacker full code execution on the web server. No user interaction required - just a crafted request to the file upload endpoint.

wordpress ninja-forms file-upload rce unauthenticated web-shell

Check: Check if any of your WordPress sites use the Ninja Forms File Uploads premium add-on. This is a premium extension, not the free Ninja Forms base plugin.
Affected: WordPress sites running the Ninja Forms File Uploads premium add-on (vulnerable versions not yet confirmed in public reporting). The free base Ninja Forms plugin alone is not affected.
Fix: Update the Ninja Forms File Uploads add-on to the latest version immediately. If you can't patch right away, temporarily disable the file upload functionality. Review your web server logs for unexpected file uploads in the Ninja Forms upload directory. Use a WAF rule to block PHP file uploads to Ninja Forms endpoints.