dbugs

1/4 dbugs LIVE dbugs.ptsecurity.com — vulnerabilities’ home See trends, discover more, read AI summaries, have all references at hand, and your profile with all your CVEs and CVSS score on a leaderboard. ⬇️ See thread: what’s live + what’s next ⬇️

🔑 VMkatz — extracting Windows credentials directly from virtual machine memory snapshots and virtual disks The tool is designed to extract NTLM hashes, DPAPI keys, Kerberos tickets, cached domain credentials, LSA secrets, and the NTDS.dit database directly from ".vmsn", ".vmdk" and other virtual machine artifacts. It operates without downloading full images—a crucial advantage when bandwidth is limited or exfiltration detection is a concern. The tool is a statically compiled binary (~2.5 MB) capable of running directly on a NAS, hypervisor, or storage system where the VM files reside. Features: 📍 Extracts secrets from LSASS memory for all nine SSP providers supported by "Mimikatz" 📍 Works with ".vmsn", ".vmdk", ".sav" files without needing to boot or "thaw" the virtual machine. 📍 Retrieves NTLM hashes, DPAPI master keys, Kerberos tickets, LSA secrets, and NTDS.dit 📍 A single‑file binary with no external dependencies or installation requirements. Functionally, "VMkatz" is closest to "Mimikatz" and "Impacket" modules for offline analysis. Unlike traditional tools, it interacts directly with VM disk and memory images. While "Mimikatz" excels at interactive tasks on live systems, "VMkatz" is purpose-built for efficient, stealthy extraction from VM snapshots. 📎 Tool: github.com/nikaiw/VMkatz #dbugs_tools

DarkSword — Coruna successor The Coruna exploit kit, discovered in early March and targeting iPads and iPhones running iOS 13–17.2.1, now has a successor — DarkSword. On March 18, after Apple patched the CVEs exploited by Coruna (on March 13) and the kit had already spread across the web, researchers -> (lookout.com/blog/darksword) from Lookout Threat Labs identified a new iOS exploit kit named DarkSword. Like Coruna, DarkSword is used to steal a wide range of personal data, including saved passwords, photos, WhatsApp and Telegram data, crypto wallets, SMS messages, contacts, location, browser history, cookies, and more. DarkSword targets iPhones running iOS 18.4–18.7 and is linked to the Coruna operators and the UNC6353 group. According to a report -> (iverify.io/blog/darksword…) by iVerify, all vulnerabilities exploited by DarkSword, including use-after-free, out-of-bounds write, kernel copy-on-write flaws, and kernel privilege escalation bugs, are known and have already been patched by Apple in the latest iOS versions. DarkSword attacks are triggered in the Safari browser, where the exploit kit grants operators kernel read/write access and then executes code via the main orchestrator component (pe_main.js). The orchestrator injects a JavaScript engine into privileged iOS services such as App Access, Wi-Fi, Springboard, Keychain, and iCloud, then activates modules for data theft. #dbugs_darkweb

Sale of a Windows 0day exploit For informational purposes only. Vulnerability type: LPE Affected OS: Windows 11, Windows Server 2022/2025 Price: $160K The seller claims the exploit works on systems fully patched as of March 19, 2026. #dbugs_darkweb

🔒A new approach to DeFi security DeFi (decentralized finance) is an ecosystem of financial services built on blockchain technology (lending, exchanges, staking), where there are no banks or centralized intermediaries, and users interact directly through smart contracts. Researchers have introduced -> (arxiv.org/pdf/2603.13290) the TAS-GNN model, which uses graph neural networks to combat Sybil attacks, whitewashing, and camouflaged fraud on DeFi platforms, where malicious actors cultivate artificial reputations before executing exit scams ❗️The problem with current solutions Typically, trust systems in DeFi focus solely on positive connections, such as interactions and fund transfers between participants. However, an attacker can artificially create such a network and gradually boost their reputation among their own accounts. The TAS-GNN model takes into account two types of signals: 🟠 trust (normal, verified interactions between participants) 🟠 distrust (suspicious or anomalous connections, such as groups of accounts that only interact with each other) Instead of relying on a single view of connections, the system builds a deeper analysis of network behavior, revealing not only typical interactions but also isolated or artificially created clusters. #dbugs_tech

A tool for bypassing LLM censorship has been released publicly On February 13, 2026, researcher @elder_plinius announced -> (x.com/elder_plinius/…) that he had developed a tool to remove refusal behavior in open‑weight large language models. Open weights are the parameters of a trained neural network that are publicly available. This allows developers and researchers to download the model, run it locally, fine‑tune it, or modify its behavior — for example, to adjust refusal mechanisms. However, changing these parameters can degrade response quality or cause model hallucinations. Refusal behavior typically occurs when a prompt touches on ethical issues, medical advice, the creation of prohibited substances, materials, or objects, potentially dangerous actions, or illegal activities — including the development of malware and exploits. According to elder_plinius, after applying his tool OBLITERATUS to the Qwen 2.5 model, it began producing instructions for creating prohibited and explosive materials without the need for jailbreaks (specially crafted prompts). On March 5, elder_plinius reported that the OBLITERATUS source code had been published on GitHub -> (github.com/elder-plinius/…). The tool uses “abliterations” — methods that probe the model, locate, and modify weights in specific layers to suppress signals responsible for refusals to provide information. According to the developer, no additional tuning or retraining is required. The tool also includes tests to verify whether the weight modifications succeeded and to detect the Ouroboros effect (when an LLM “self‑restores” — even after censorship removal, it mimics censorship due to residual dependencies). Six usage options are available, ranging from a web interface on Hugging Face Spaces to integration into a development pipeline. As elder_plinius puts it: “Every open-weight model release is also an uncensored model release.” #dbugs_tech

Hacker forum LeakBase shut down again during a special operation by the Russian Ministry of Internal Affairs Earlier LeakBase forum had been taken down by the FBI and other law enforcement agencies on March 4. Despite the seizure of the main domain, the forum’s administrators continued to keep it running. Over the following week, LeakBase domains changed frequently, and on the evening of March 13 a statement appeared on the active domain announcing the forum’s final shutdown as part of a special operation by the BSTM unit of the Russian Ministry of Internal Affairs. We believe LeakBase is unlikely to return, since along with the forum’s repeated closure, its Telegram channels also reported being taken down by the Russian Ministry of Internal Affairs. #dbugs_darkweb

PrivHound — a tool for analyzing paths to AD takeover through local privilege escalation (LPE) A BloodHound compatible tool that visualizes local privilege escalation (LPE) vectors as interconnected attack paths. It highlights not just individual vulnerabilities but full privilege‑escalation chains. Useful for Red Team operations and post‑exploitation analysis in Windows environments. Compared to "WinPEAS", "PowerUp" and "Seatbelt", "PrivHound" doesn’t just list misconfigurations — it models their relationships, providing context and visibility into escalation chains; however, it requires "BloodHound" to be installed and doesn’t perform standalone auditing. 📎 Tool: github.com/dazzyddos/Priv… #dbugs_tools

CVE-2026-22730: SQL Injection in Spring AI MariaDBFilterExpressionConverter CVE: CVE-2026-22730 PT-Identifier: PT-2026-25940 Vendor: Vmware Product: Spring AI CVSS: 8.8 Credits: n/a Description: A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands. The vulnerability exists due to missing input sanitization. References: • dbugs.ptsecurity.com/vulnerability/… • spring.io/security/cve-2… #dbugs_vuln

CVE-2026-22729: JSONPath Injection in Spring AI Vector Stores FilterExpressionConverter CVE: CVE-2026-22729 PT-Identifier: PT-2026-25939 Vendor: Vmware Product: Spring AI CVSS: 8.6 Credits: n/a Description: A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic and access unauthorized documents. This vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata. The vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like ", ||, and && are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics. References: • dbugs.ptsecurity.com/vulnerability/… • spring.io/security/cve-2… #dbugs_vuln

CVE: CVE-2026-21994 Vendor: Oracle corporation Product: Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit CVSS: 9.8 Credits: n/a Description: Vulnerability in the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit product of Oracle Open Source Projects (component: Desktop). The supported version that is affected is 0.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit. Successful attacks of this vulnerability can result in takeover of Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). References: • dbugs.ptsecurity.com/vulnerability/… • oracle.com/security-alert… #dbugs_vuln

CVE: CVE-2026-21570 PT-Identifier: PT-2026-25921 Vendor: Atlassian Product: Bamboo Data Center CVSS: 8.6 Credits: n/a Description: This High severity RCE (Remote Code Execution)  vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.6, allows an authenticated attacker to execute malicious code on the remote system. Atlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bamboo Data Center 9.6: Upgrade to a release greater than or equal to 9.6.24 Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.16 Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.3 See the release notes (confluence.atlassian.com/bambooreleases…). You can download the latest version of Bamboo Data Center from the download center (atlassian.com/software/bambo…). This vulnerability was reported via our Atlassian (Internal) program. References: • dbugs.ptsecurity.com/vulnerability/… • confluence.atlassian.com/pages/viewpage… • jira.atlassian.com/browse/BAM-263… #dbugs_vuln

ExpressionContext use-after-free in classic engine $lookup and $graphLookup aggregation operators CVE: CVE-2026-4148 Vendor: Mongodb inc Product: MongoDB Server CVSS: 8.7 Credits: n/a Description: A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline. References: • dbugs.ptsecurity.com/vulnerability/… • jira.mongodb.org/browse/SERVER-… #dbugs_vuln

Exploitation of CVE-2025-38617 in Linux Packet Sockets The article examines the exploitation of a race condition vulnerability in the Linux kernel’s packet socket subsystem (CVE-2025-38617 -> (dbugs.ptsecurity.com/vulnerability/…)). The flaw allows an attacker to achieve local privilege escalation (LPE). The issue arises from concurrent access to network packet buffers and extended file attributes, creating a window for kernel memory corruption. Exploitation requires only local system access and can ultimately lead to arbitrary code execution with root privileges. 📎 Article: blog.calif.io/p/a-race-withi… #dbugs_attacks

🤩 CSRF in Next.js Server Actions @kapeka0 demonstrated a CSRF attack against Next.js Server Actions. They are commonly believed to be protected by default. They are not. Let’s examine three security weaknesses that enable CSRF: 1⃣ Binding Confusion — any Server Action is accessible via a form Next.js supports two modes for invoking server functions: Fetch Action — invoked via JavaScript with a custom "next-action" header. When a cross-domain request includes a custom header, the browser first sends a preflight request to check permissions. CSRF is impossible in this case. MPA Action — invoked via an HTML form using POST with multipart/form-data and no custom headers. The browser treats this as a simple request and sends it without a preflight check. Together, these conditions enable CSRF. The vulnerability arises because any Server Action can be invoked in both ways, including the less secure MPA mode. 2⃣ Bypassing the Origin check Next.js compares the request’s "Origin" header with the server’s address. If they don’t match, the request is blocked. However, if the "Origin" header is missing or equals "null", the framework allows the request, assuming it comes from an older browser that does not support the header. An attacker can obtain "Origin: null" through a chain of cross-domain redirects. To do this, a form on the attacker’s page sends a "POST" request to the attacker’s server, which then responds with a redirect (specifically with status code 307, which preserves the "POST" method and request body) to the victim’s application. In this situation, the browser cannot determine a valid origin after the cross-domain redirect and therefore sets the "Origin" header to "null". 3⃣ SameSite attribute For the attack to succeed, the victim’s session cookie must be included in cross-site requests. This behavior depends on the "SameSite" attribute: - If "SameSite=None", the cookie is always sent with cross-site requests. - If the attribute is not set, the behavior depends on the browser. Firefox and Safari send the cookie, while Chrome only sends it within the first two minutes after the cookie is created. 💥 Attack chain The victim opens the attacker’s HTML page → the form is submitted automatically → the request is redirected through the attacker’s server (the "Origin" header becomes "null") → Next.js skips the "Origin" check → the framework deserializes arguments from the form → the Server Action is executed on behalf of the victim when session cookies are insecurely configured. An example of a CSRF form is shown in the picture. 📎 Article: kapeka.dev/blog/csrf-in-t… #dbugs_attacks

🔧 PulseAPK Core — GUI for Android app analysis A cross‑platform tool for the full APK workflow: decompilation → static Smali analysis → editing → rebuild → signing. A graphical wrapper around "apktool" with a built‑in security analyzer. The analyzer scans Smali code for root and emulator checks, embedded secrets (API keys, tokens, authorization headers), and insecure HTTP connections. Rules are defined in a JSON file and applied immediately after editing — no app restart required. Requires Java, "apktool.jar" and "uber-apk-signer.jar "as external dependencies. 📎 Tool: github.com/deemoun/PulseA… #dbugs_tools

RCE in Junos OS Evolved (PTX Series) watchTowr researchers have described a vulnerability CVE-2026-21902 -> (dbugs.ptsecurity.com/vulnerability/…) in Juniper Junos OS Evolved affecting PTX-series devices. The flaw stems from an incorrect permission assignment for critical resource, allowing a remote attacker to execute arbitrary code on the target system. Exploitation requires network access to the vulnerable service but does not require elevated privileges. Successful exploitation grants the attacker command execution capabilities with root privileges. The issue is limited to PTX platforms used in backbone and data center networks where Junos OS Evolved serves as the base operating environment. 📎 Article: labs.watchtowr.com/sometimes-you-… #dbugs_attacks

D-Link DNS-1550-04 app_mgr.cgi UPnP_AV_Server_Path_Setting stack-based overflow CVE: CVE-2026-4214 PT-Identifier: PT-2026-25566 Vendor: D-link Product: DNS-120 CVSS: 8.7 Credits: pjq123 (VulDB User) Description: A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This issue affects the function UPnP_AV_Server_Path_Setting of the file /cgi-bin/app_mgr.cgi. Executing a manipulation can lead to stack-based buffer overflow. The attack may be launched remotely. The exploit has been published and may be used. References: • dbugs.ptsecurity.com/vulnerability/… • vuldb.com/?id.351125 • vuldb.com/?ctiid.351125 • vuldb.com/?submit.770445 • github.com/wudipjq/my_vul… • dlink.com #dbugs_vuln

D-Link DNS-1550-04 gui_mgr.cgi cgi_myfavorite_verify stack-based overflow CVE: CVE-2026-4213 Vendor: D-link Product: DNS-120 CVSS: 8.7 Credits: pjqwudi (VulDB User) Description: A vulnerability was detected in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This vulnerability affects the function cgi_myfavorite_del_user/cgi_myfavorite_verify of the file /cgi-bin/gui_mgr.cgi. Performing a manipulation results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. References: • dbugs.ptsecurity.com/vulnerability/… • vuldb.com/?id.351124 • vuldb.com/?ctiid.351124 • vuldb.com/?submit.770443 • vuldb.com/?submit.770444 • github.com/wudipjq/my_vul… • github.com/wudipjq/my_vul… • dlink.com #dbugs_vuln

D-Link DNS-1550-04 download_mgr.cgi Downloads_Schedule_Info stack-based overflow CVE: CVE-2026-4212 Vendor: D-link Product: DNS-120 CVSS: 8.7 Credits: pjqwudi (VulDB User) Description: A security vulnerability has been detected in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This affects the function Downloads_Schedule_Info of the file /cgi-bin/download_mgr.cgi. Such manipulation leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. References: • dbugs.ptsecurity.com/vulnerability/… • vuldb.com/?id.351123 • vuldb.com/?ctiid.351123 • vuldb.com/?submit.770442 • github.com/wudipjq/my_vul… • dlink.com #dbugs_vuln

D-Link DNS-1550-04 local_backup_mgr.cgi Local_Backup_Info stack-based overflow CVE: CVE-2026-4211 Vendor: D-link Product: DNS-120 CVSS: 8.7 Credits: pjqwudi (VulDB User) Description: A weakness has been identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected by this issue is the function Local_Backup_Info of the file /cgi-bin/local_backup_mgr.cgi. This manipulation of the argument f_idx causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. References: • dbugs.ptsecurity.com/vulnerability/… • vuldb.com/?id.351122 • vuldb.com/?ctiid.351122 • vuldb.com/?submit.770441 • github.com/wudipjq/my_vul… • dlink.com #dbugs_vuln