Vulnerability intelligence

CVE-2026-26980 is a SQL injection vulnerability found in Ghost, a Node.js content management system. This flaw specifically affects the Content API's slug filter ordering functionality. It allows unauthenticated attackers to perform arbitrary reads from the database. The vulnerability impacts Ghost versions 3.24.0 through 6.19.0. Exploitation of this issue could lead to the extraction of sensitive data, including user credentials, authentication tokens, and site content. A fix for this vulnerability has been released in Ghost version 6.19.1.

CVE-2026-45321 describes a supply chain compromise that affected the TanStack npm organization on May 11, 2026. During this incident, 84 malicious versions across 42 `@tanstack/*` packages were published to the npm registry. These publications were authenticated using the legitimate GitHub Actions OIDC trusted-publisher binding for `TanStack/router`, even though the publish workflow itself was not modified. The attackers achieved this by chaining three distinct vulnerability classes: a `pull_request_target` "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process. This sophisticated method allowed them to publish credential-stealing malware under a trusted identity, with each affected package receiving two malicious versions within minutes of each other.

CVE-2026-8398 describes a supply chain attack that compromised official installation packages of DAEMON Tools Lite for Windows. Between approximately April 8, 2026, and May 5, 2026, attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure. They subsequently trojanized three binaries—DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—which were then distributed via the legitimate daemon-tools.cc website. These malicious installers appeared trustworthy because the trojanized files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing them to bypass signature-based detection. The affected versions of DAEMON Tools Lite are 12.5.0.2421 through 12.5.0.2434.

Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory, as exploited in the wild in December 2009 and January 2010 during Operation Aurora, aka "HTML Object Memory Corruption Vulnerability."

CVE-2026-8398 describes a supply chain attack that compromised official installation packages of DAEMON Tools Lite for Windows. Between approximately April 8, 2026, and May 5, 2026, attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure. They subsequently trojanized three binaries—DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—which were then distributed via the legitimate daemon-tools.cc website. These malicious installers appeared trustworthy because the trojanized files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing them to bypass signature-based detection. The affected versions of DAEMON Tools Lite are 12.5.0.2421 through 12.5.0.2434.

CVE-2026-45321 describes a supply chain compromise that affected the TanStack npm organization on May 11, 2026. During this incident, 84 malicious versions across 42 `@tanstack/*` packages were published to the npm registry. These publications were authenticated using the legitimate GitHub Actions OIDC trusted-publisher binding for `TanStack/router`, even though the publish workflow itself was not modified. The attackers achieved this by chaining three distinct vulnerability classes: a `pull_request_target` "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process. This sophisticated method allowed them to publish credential-stealing malware under a trusted identity, with each affected package receiving two malicious versions within minutes of each other.