Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: unauthenticated (6 articles)Clear

Critical Oracle E-Business Suite flaw now exploited for unauthenticated takeover

Attackers have begun exploiting a critical flaw in Oracle E-Business Suite, the financial and operations platform used by large enterprises, threat intelligence firm Defused reports. The bug (CVE-2026-46817), rated 9.8, sits in the File Transmission component of Oracle Payments and lets an unauthenticated attacker with HTTP access take over the system through a low-complexity attack. Oracle patched it in its May 2026 update, but exploitation began over the weekend despite no public proof-of-concept existing, meaning attackers built their own. Observed payloads attempt to read sensitive system files. Shadowserver tracks more than 450 EBS instances exposed online, many in North America and Asia, with unknown numbers still unpatched.

Check
Identify internet-facing Oracle E-Business Suite instances, confirm whether the May 2026 Critical Patch Update is applied, and review logs for suspicious requests to the Payments component and unexpected system-file access.
Affected
Oracle E-Business Suite versions 12.2.3 through 12.2.15 with the Payments component reachable over HTTP (CVE-2026-46817); unauthenticated attackers can fully compromise the system, and a private exploit is already in use.
Fix
Apply Oracle's May 2026 Critical Patch Update immediately, restrict EBS access to trusted networks, and run a compromise assessment if patching was delayed, since exploitation is underway without public exploit code.

Critical Splunk Enterprise flaw allows unauthenticated remote code execution

Splunk has patched a critical flaw in Splunk Enterprise that lets an unauthenticated attacker run code on the server, a serious risk given Splunk often sits at the heart of a company's security monitoring. The bug (CVE-2026-20253, rated 9.8) is in the PostgreSQL sidecar service added in Splunk 10, whose internal API has no authentication yet is reachable through the main web app's proxy. An attacker can write or overwrite files on the host and chain that into remote code execution. The sidecar is off by default on on-premises Windows but enabled out of the box on Splunk Enterprise running in AWS. Splunk Cloud is not affected.

Check
Check Splunk Enterprise versions and whether the PostgreSQL sidecar service is enabled, especially on AWS-hosted instances, and use watchTowr's detection tool to test for unauthenticated access to the API.
Affected
Splunk Enterprise 10 and later below versions 10.2.4 and 10.0.7 with the PostgreSQL sidecar service active (CVE-2026-20253); AWS-hosted instances are exposed by default. Splunk Cloud is unaffected.
Fix
Upgrade Splunk Enterprise to 10.2.4 or 10.0.7 or later immediately. Until patched, restrict network access to the web interface and sidecar endpoints, and disable the sidecar service if unused.

AI security tool finds 38 previously unknown bugs in OpenEMR, the open-source health records system used by 100,000 healthcare providers - two of them rated maximum severity

Aisle, an AI-driven application security firm, ran its analyzer over OpenEMR's source code and found 38 previously unknown vulnerabilities, including two with maximum severity (CVSS 10.0). OpenEMR is the open-source electronic health records system used by 100,000 healthcare providers serving 200 million patients. The two critical bugs let attackers reach into patient databases without logging in: CVE-2026-24898 lets any unauthenticated visitor receive the medical practice's API tokens by sending a single POST request, and CVE-2026-24908 is a SQL injection in the patient REST API. OpenEMR has now patched all 38.

Check
If your organization runs OpenEMR, upgrade to the latest patched build today and audit access logs for unauthenticated POST requests to MedEx recall/reminder endpoints.
Affected
OpenEMR deployments before the April 2026 security update. Particularly acute for any internet-reachable instance because CVE-2026-24898 is unauthenticated. The 100,000 OpenEMR healthcare providers are typically smaller US clinics and under-resourced settings worldwide - the segments least likely to have a fast patching process.
Fix
Upgrade OpenEMR to the latest 8.x patched release. Audit application logs for any POST to the MedEx recall/reminder endpoint and for unusual _sort parameter values in the patient REST API - those are the exploit signatures. Restrict OpenEMR's admin and API endpoints to internal management networks. Rotate API tokens issued before the patch was applied since they may have been exposed via CVE-2026-24898.

Critical unauthenticated path traversal in CrowdStrike LogScale lets remote attackers read any file on the server (CVE-2026-40050, CVSS 9.8)

CrowdStrike disclosed CVE-2026-40050 on April 21, a critical unauthenticated path traversal in a specific cluster API endpoint of self-hosted LogScale (formerly Humio). CVSS 9.8. A remote attacker who can reach the endpoint can read arbitrary files from disk - including config files, certificates, embedded credentials, and the very logs the platform was deployed to protect. CrowdStrike found the bug through internal product testing and applied network-layer blocks across all SaaS clusters on April 7. Self-hosted customers must patch themselves. There is no evidence of in-the-wild exploitation yet.

Check
Check every self-hosted CrowdStrike LogScale instance today and patch immediately - and verify the cluster API endpoint is not reachable from anywhere it shouldn't be.
Affected
CrowdStrike LogScale Self-Hosted GA versions 1.224.0 through 1.234.0 inclusive, plus LTS versions 1.228.0 and 1.228.1. CVE-2026-40050, CVSS 9.8 (CWE-22 path traversal plus CWE-306 missing authentication). LogScale SaaS deployments and Next-Gen SIEM customers are not exposed - SaaS was already mitigated April 7 at the network layer.
Fix
Upgrade to LogScale Self-Hosted 1.235.1+ (GA) or 1.228.2 (LTS). Restrict the cluster API endpoint to internal management networks - it should never be internet-facing or general-VLAN reachable. Audit web-access logs for traversal patterns (..%2F, ../, encoded variants). Rotate any credentials, certificates, or tokens that may have been on disk on the LogScale host during the vulnerable window.

Fortinet FortiSandbox unauthenticated RCE (CVE-2026-39808) has public PoC - day-after recovery from April 17

Day-after recovery: a PoC exploit for a critical vulnerability in Fortinet's FortiSandbox product has been publicly available since April 17. CVE-2026-39808 allows an unauthenticated attacker to execute arbitrary code on affected appliances via the web management interface. FortiSandbox is Fortinet's network-based malware analysis product used to inspect suspicious files before they reach endpoints. Because it sits in the malware analysis path, a compromised FortiSandbox gives attackers visibility into every suspicious file your environment has flagged, including real phishing attempts and incident samples. The PoC release doesn't indicate confirmed in-the-wild exploitation yet, but based on recent patterns the window between public PoC and mass scanning is typically measured in hours. CISA has not yet added this to KEV.

Check
If your organization uses Fortinet FortiSandbox, apply Fortinet's security update immediately. Treat as priority-1 even without confirmed in-the-wild exploitation.
Affected
Fortinet FortiSandbox appliances running unpatched firmware. Check Fortinet's PSIRT advisory for CVE-2026-39808 for exact affected firmware versions and upgrade paths for your model.
Fix
Apply Fortinet's security update from the official PSIRT advisory. If patching is delayed, restrict network access to the FortiSandbox management interface to trusted admin IPs only - do not expose the management interface to the internet. Review FortiSandbox access logs for unusual HTTP requests to the management interface over the past 30 days.

Ninja Forms WordPress plugin allows unauthenticated file upload leading to remote code execution

A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows attackers to upload arbitrary files - including PHP web shells - without any authentication. Over 800,000 WordPress sites use Ninja Forms, and the File Uploads extension is one of its most popular premium add-ons. Successful exploitation gives an attacker full code execution on the web server. No user interaction required - just a crafted request to the file upload endpoint.

Check
Check if any of your WordPress sites use the Ninja Forms File Uploads premium add-on. This is a premium extension, not the free Ninja Forms base plugin.
Affected
WordPress sites running the Ninja Forms File Uploads premium add-on (vulnerable versions not yet confirmed in public reporting). The free base Ninja Forms plugin alone is not affected.
Fix
Update the Ninja Forms File Uploads add-on to the latest version immediately. If you can't patch right away, temporarily disable the file upload functionality. Review your web server logs for unexpected file uploads in the Ninja Forms upload directory. Use a WAF rule to block PHP file uploads to Ninja Forms endpoints.