Vulnerability intelligence

CVE-2026-48842 describes a pre-authentication SQL injection vulnerability affecting Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1. The flaw is specifically located within the `virtuser_query` plugin and can be exploited by bypassing a `preg_replace()` backslash escape. This CVE was recently published to the CVE List and added to the NVD dataset on May 25, 2026.

CVE-2026-48844 describes a vulnerability found in Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1. The flaw originates from insecure code evaluation logic within the LDAP `autovalues` option. This vulnerability could allow an authenticated user to inject and execute arbitrary code, potentially leading to remote code execution on the Roundcube server. To mitigate this issue, support for code evaluation in the LDAP `autovalues` option has been removed in Roundcube Webmail versions 1.6.16 and 1.7.1.

CVE-2026-35616 is an improper access control vulnerability affecting Fortinet FortiClientEMS versions 7.4.5 through 7.4.6. This flaw enables an unauthenticated attacker to execute unauthorized code or commands by sending specially crafted requests. The vulnerability essentially allows for a bypass of authentication and authorization mechanisms within the FortiClient EMS API. This vulnerability has been actively exploited in the wild, with reports indicating that attackers have leveraged it to deploy information-stealing malware, such as the EKZ Infostealer, disguised as Fortinet patches. The exploitation does not require prior authentication or user interaction, making it a significant concern for organizations utilizing vulnerable FortiClient EMS instances.

Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory, as exploited in the wild in December 2009 and January 2010 during Operation Aurora, aka "HTML Object Memory Corruption Vulnerability."

CVE-2026-8398 describes a supply chain attack that compromised official installation packages of DAEMON Tools Lite for Windows. Between approximately April 8, 2026, and May 5, 2026, attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure. They subsequently trojanized three binaries—DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—which were then distributed via the legitimate daemon-tools.cc website. These malicious installers appeared trustworthy because the trojanized files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing them to bypass signature-based detection. The affected versions of DAEMON Tools Lite are 12.5.0.2421 through 12.5.0.2434.

CVE-2026-45321 describes a supply chain compromise that affected the TanStack npm organization on May 11, 2026. During this incident, 84 malicious versions across 42 `@tanstack/*` packages were published to the npm registry. These publications were authenticated using the legitimate GitHub Actions OIDC trusted-publisher binding for `TanStack/router`, even though the publish workflow itself was not modified. The attackers achieved this by chaining three distinct vulnerability classes: a `pull_request_target` "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process. This sophisticated method allowed them to publish credential-stealing malware under a trusted identity, with each affected package receiving two malicious versions within minutes of each other.