Aretiq.AI

ARETIQ Daily Vulnerability Bulletin — June 24, 2026 4 vulnerabilities — HIGH: 4 Full bulletin: aretiq.ai/bulletins/2026…

@lawhackdddd Do you have an enterprise email account?

@AretiqAI how can i get the poc

Added research for CVE-2026-41089 — a pre-auth stack buffer overflow in Windows Netlogon. A single crafted CLDAP packet to UDP 389 can crash a Domain Controller. Full analysis, detection rules, and PoC: aretiq.ai/research/

@RossMichaels328 CVE-2026-45502 cannot be chained with PrivExchange/ntlmrelayx for domain compromise. The SSRF is useful for internal network reconnaissance and accessing internal HTTP services, but it does NOT leak Exchange's machine account credentials.

@AretiqAI Does the request as a result of this vulnerability happen in an authenticated context? If so, severity may be SIGNIFICANTLY higher than currently rated. e.g. dirkjanm.io/abusing-exchan…

New Research: CVE-2026-45502 — Microsoft Exchange Server SSRF Any mailbox user can force Exchange to make HTTP requests to internal networks. The SSRF protection only runs on cloud deployments — on-premises servers skip the check entirely. Root cause: the intranet address validation is gated on `isBposUser`, which is always `false` for on-prem Exchange. One SOAP request to EWS InstallApp with a crafted ManifestUrl = blind SSRF from the Exchange server's network position. Affects Exchange 2016 CU23, 2019 CU14/CU15, and Exchange SE. Patched in the June 2026 SU. Full analysis + PoC: aretiq.ai/research/15/

ARETIQ Daily Vulnerability Bulletin — June 23, 2026 3 vulnerabilities — HIGH: 3 Full bulletin: aretiq.ai/bulletins/2026…

ARETIQ Daily Vulnerability Bulletin — June 22, 2026 6 vulnerabilities — HIGH: 6 Full bulletin: aretiq.ai/bulletins/2026…

ARETIQ Daily Vulnerability Bulletin — June 21, 2026 2 vulnerabilities — HIGH: 2 Full bulletin: aretiq.ai/bulletins/2026…

ARETIQ Daily Vulnerability Bulletin — June 20, 2026 2 vulnerabilities — HIGH: 2 Full bulletin: aretiq.ai/bulletins/2026…

ARETIQ Daily Vulnerability Bulletin — June 19, 2026 🔴 CRITICAL: CVE-2026-55255 (langflow-ai/langflow) AAS 13.1 🔴 CRITICAL: CVE-2026-48772 (sysown/proxysql) AAS 12.8 🔴 CRITICAL: CVE-2026-48773 (sysown/proxysql) AAS 12.4 15 vulnerabilities — CRITICAL: 3, HIGH: 12 Full bulletin: aretiq.ai/bulletins/2026…

ARETIQ Daily Vulnerability Bulletin — June 18, 2026 🔴 CRITICAL: CVE-2026-54003 (getkirby/cms) AAS 12.3 17 vulnerabilities — CRITICAL: 1, HIGH: 16 Full bulletin: aretiq.ai/bulletins/2026…

SharePoint Server reflected XSS — CVE-2026-45453. Three workflow pages render DocURL into <a href> via NoEncode() — 9 injection points, no auth needed to craft the link. Hover to fire. Patch: KB5002874 / KB5002880 / KB5002873 aretiq.ai/research/13/

If you tried to register on aretiq.ai in the past week and got an error — it's fixed now. A database permission issue blocked new signups from June 5-14. Sorry about that, and thanks for your patience.

SharePoint Server RCE via webshell upload — CVE-2026-45454. A user with basic Contribute perms can upload an ASPX webshell to the Master Page Gallery and get code execution as the app pool identity. One HTTP request, no admin needed. Patch now. aretiq.ai/research/12/

CVE-2026-45454 — SharePoint Server path traversal to RCE. Authenticated users can upload files to restricted document libraries via Upload.aspx List/RootFolder mismatch, including webshells to the Master Page Gallery. Patch: KB5002874/KB5002880. aretiq.ai/research/12/

CVE-2026-3593 | ISC BIND 9 DoH Use-After-Free HTTP/2 SETTINGS floods trigger server_read_callback on a freed response buffer. Crashes ASAN builds ~40%/round. Pre-auth. Fixed in BIND 9.20.23 / 9.21.22. Analysis + PoC: aretiq.ai/research/10/

CVE-2026-28318 | SolarWinds Serv-U Pre-Auth DoS One HTTP POST with Content-Encoding: deflate crashes the service. ~260KB expands to 256MB, SIGABRT. CISA KEV (active exploitation). CVSS 4.0: 9.2. Analysis + PoC: aretiq.ai/research/11/

CVE-2026-48866 — Gravity Forms WordPress plugin (1M+ installs) arbitrary file deletion. Attacker poisons entries via ../ in upload URLs; admin cleanup calls unlink() outside uploads. Delete wp-config.php = site takeover. Analysis + PoC: aretiq.ai/research/vul26…

CVE-2026-48827 — Apache MINA SSHD path traversal in sshd-git module. SSH-authenticated attackers escape the git root via ../ to read/write any repo on the filesystem. Fixed in 2.18.0. Full analysis + PoC: aretiq.ai/research/vul26…

NEW RESEARCH: CVE-2026-8054 — dotCMS Core Publish Audit API SQL Injection CVSS 10.0 | Pre-auth | Network-accessible Unauthenticated SQLi in dotCMS Publish Audit API leads to full database compromise, possibly leading to remote code execution. aretiq.ai/research/vul26…

CVE-2026-9256 — NGINX heap buffer overflow (CVSS 9.2 Critical) Overlapping PCRE captures in rewrite → heap overflow + heap info leak. Unauthenticated, remote. DoS + RCE path confirmed. Fixed: nginx 1.31.1 / 1.30.2 aretiq.ai/research/vul26…