Activity

Vulnerability name

Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability

Product

Oracle PeopleSoft Enterprise PeopleTools

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Vulnerability name

Ivanti Sentry OS Command Injection Vulnerability

Product

Ivanti Sentry

CVE-2026-10520 is an operating system command injection vulnerability affecting Ivanti Sentry, a mobile security gateway. This flaw allows a remote, unauthenticated attacker to achieve root-level remote code execution on affected systems. Specifically, the vulnerability is located within the `ConfigServiceController` class of the Sentry web application. It can be exploited by sending a specially crafted POST request to the unauthenticated endpoint `/mics/api/v2/sentry/mics-config/handleMessage`. This request is then interpreted as an internal MICS configuration command and executed by a backend component.

Vulnerability name

Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability

Product

Cisco Catalyst SD-WAN Manager

CVE-2026-20245 is a command injection vulnerability found in the command-line interface (CLI) of Cisco Catalyst SD-WAN Manager, previously known as SD-WAN vManage. This flaw arises from insufficient validation of user-supplied input, allowing an authenticated attacker with netadmin privileges to upload a specially crafted file. Upon successful exploitation, the attacker can execute arbitrary commands as root on the affected system. Cisco has observed limited instances of this vulnerability being exploited in the wild, with some cases resulting in configuration changes being pushed to edge devices. It is noted that the required netadmin privileges can be obtained either through valid credentials or by leveraging other vulnerabilities, such as CVE-2026-20182 or CVE-2026-20127.

Vulnerability name

Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability

Product

Arista Extensible Operating System

CVE-2026-7473 describes a vulnerability affecting Arista EOS platforms that have a tunnel decapsulation configuration enabled. This includes configurations such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface. The core issue is that the affected switch will incorrectly decapsulate and forward unexpected tunneled packets if their destination IP matches the configured decapsulation IP. This vulnerability arises because the switch fails to verify the tunnel protocol type, which can lead to the processing of non-configured tunnel traffic. This issue has been reported as being actively exploited in the wild and is included in CISA's Known Exploited Vulnerabilities Catalog.

Vulnerability name

Google Chromium V8 Out-of-Bounds Read and Write Vulnerability

Product

Google Chromium V8

CVE-2026-11645 is an out-of-bounds read and write vulnerability found in the V8 JavaScript engine of Google Chrome. This flaw allows a remote attacker to execute arbitrary code within the browser's sandbox by enticing a user to visit a specially crafted HTML page. The vulnerability affects Google Chrome versions prior to 149.0.7827.103, as well as other Chromium-based browsers that utilize the V8 engine. Google has confirmed that an exploit for CVE-2026-11645 exists and is being actively used in the wild.