Injection Archives

Tech Optimizer

May 23, 2026

CVE-2026-9082: Critical Drupal Core SQLi Flaw

Drupal has issued critical security updates for a vulnerability in Drupal Core, identified as CVE-2026-9082, which affects sites using PostgreSQL databases. This flaw allows anonymous attackers to exploit the system through arbitrary SQL injection, posing risks such as sensitive information disclosure, privilege escalation, and remote code execution. The vulnerability is rated 20 out of 25 by Drupal and 6.5 out of 10 by CVE.org. It specifically impacts the database abstraction API, which fails to properly sanitize queries. The fixed versions include 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10, with best-effort patches available for unsupported versions 9.5 and 8.9. Organizations are advised to inventory their Drupal installations, verify PostgreSQL usage, and prioritize patching for public-facing sites.

Tech Optimizer

May 21, 2026

CVE-2024-55638: Highly Critical Drupal Core Vulnerability Threatens PostgreSQL Sites with Remote Code Execution (RCE)

A critical vulnerability, CVE-2024-55638, has been identified in Drupal Core, affecting installations using PostgreSQL as their backend database. This vulnerability involves PHP Object Injection, which can lead to full Remote Code Execution (RCE) when combined with another deserialization flaw. It cannot be exploited independently but increases the risk for Drupal installations that use third-party modules or custom code that improperly employs the unserialize() function. The affected versions include Drupal Core 7.x prior to 7.102, 8.0.0 and above prior to 10.2.11, and 10.3.0 prior to 10.3.9, with patched versions being 7.102, 10.2.11, and 10.3.9. The vulnerability is particularly relevant for sites using PostgreSQL, and organizations are urged to upgrade to the patched versions and audit their code for unsafe unserialize() usage. Currently, there are no confirmed reports of exploitation in the wild, but the risk remains high due to insecure deserialization bugs in third-party modules. The EPSS score for this vulnerability is 9.93%, indicating a significant likelihood of exploitation in the near future.

Tech Optimizer

May 21, 2026

Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks

Drupal has announced critical security updates for a vulnerability in Drupal Core, identified as CVE-2026-9082, which allows attackers to execute remote code, escalate privileges, or disclose sensitive information. The vulnerability has a CVSS score of 6.5 and affects only sites using PostgreSQL databases. It can be exploited by anonymous users and is rooted in a database abstraction API used for query validation and SQL injection prevention. Updates have been released for the following versions: - Drupal 11.3.10 - Drupal 11.2.12 - Drupal 11.1.10 - Drupal 10.6.9 - Drupal 10.5.10 - Drupal 10.4.10 Drupal 7 is not impacted by this vulnerability. Users on unsupported versions 9 and 8 can access manual patches for: - Drupal 9.5 - Drupal 8.9 Drupal has stated that versions 11.1.x, 11.0.x, and 10.4.x and below are end-of-life and do not receive security coverage, and that both Drupal 8 and 9 have reached end-of-life status. Patches for unsupported versions are provided as a best effort, but users should be aware of potential other vulnerabilities.

Tech Optimizer

May 21, 2026

PostgreSQL Flaws Expose Databases to Remote Code Execution and SQL Injection

PostgreSQL has released versions 18.4, 17.10, 16.14, 15.18, and 14.23 to address 11 security vulnerabilities and over 60 bugs. The vulnerabilities affect PostgreSQL versions 14 through 18 and include issues such as remote code execution, SQL injection, and denial-of-service risks. Specific vulnerabilities include: - CVE-2026-6472: Missing authorization in CREATE TYPE allows query hijacking. - CVE-2026-6473: Integer wraparound leads to out-of-bounds writes and server crashes. - CVE-2026-6474: Format string issue leaks server memory. - CVE-2026-6475: Symlink attack allows overwriting arbitrary files. - CVE-2026-6476: SQL injection allows execution of arbitrary SQL as superuser. - CVE-2026-6477: Memory buffer overwrite via libpq lo_* functions. - CVE-2026-6478: Timing attack exposes MD5-hashed passwords. - CVE-2026-6479: SSL/GSS recursion flaw allows denial-of-service. - CVE-2026-6575: Buffer over-read leaks memory data (PostgreSQL 18 only). - CVE-2026-6637: Refint module enables stack overflow and SQL injection, leading to possible RCE. - CVE-2026-6638: SQL injection in REFRESH PUBLICATION via table names. Organizations are advised to upgrade to the latest versions, avoid MD5 password authentication, restrict privileges, audit extensions, and monitor for abnormal activity. PostgreSQL 14 will reach its end-of-life on November 12, 2026.

Tech Optimizer

May 20, 2026

Critical PostgreSQL Flaws Enable Code Execution and SQL Injection

On May 14, 2026, PostgreSQL released critical security updates for versions 18.4, 17.10, 16.14, 15.18, and 14.23, addressing 11 Common Vulnerabilities and Exposures (CVEs) related to stack buffer overflows, SQL injection, memory disclosure, and denial-of-service vulnerabilities. The most critical vulnerability, CVE-2026-6637, has a CVSS score of 8.8 and allows remote, unprivileged database users to execute arbitrary code. Other notable vulnerabilities include CVE-2026-6473, which affects memory allocation leading to potential memory corruption, and CVE-2026-6475, which allows overwriting sensitive OS-level files. Additional vulnerabilities include SQL injection flaws and authentication issues, with various CVSS scores ranging from 3.7 to 7.5. The updates can be implemented without a database dump, and PostgreSQL 14 will reach its end-of-life on November 12, 2026.

Tech Optimizer

May 19, 2026

Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections

The PostgreSQL Global Development Group has released security updates for versions 18.4, 17.10, 16.14, 15.18, and 14.23, addressing 11 vulnerabilities, including critical issues related to arbitrary code execution and SQL injection flaws. All supported branches from 14 through 18 are affected by vulnerabilities, necessitating updates. Database administrators can perform in-place upgrades without needing a dump/restore. Key vulnerabilities include: - CVE-2026-6637: Stack buffer overflow in the refint module allowing arbitrary code execution. - CVE-2026-6472: Privilege bypass and arbitrary SQL execution. - CVE-2026-6473: Potential remote code execution and memory corruption. - CVE-2026-6474: Server memory information leak. - CVE-2026-6475: Arbitrary file overwrite vulnerability. - CVE-2026-6476: SQL injection with superuser execution. - CVE-2026-6477: Client-side code execution risk. - CVE-2026-6478: MD5 credential timing leak. - CVE-2026-6479: SSL/GSS denial-of-service flaw. - CVE-2026-6575: Limited memory disclosure issue. - CVE-2026-6638: SQL injection in logical replication. Organizations using PostgreSQL 14 should upgrade to version 14.23 and plan migration to a newer version before the end-of-life on November 12, 2026. The updates are urgent for deployments exposed to the internet or in multi-tenant environments.

AppWizard

May 19, 2026

Russia’s State-Mandated Max Messenger Reportedly Hides Powerful Tracking Tools

The state-mandated messenger Max, developed by VK and supported by the Kremlin, is preinstalled on all new smartphones in Russia as of September 1, 2025, and is designed to function during internet blackouts. Following WhatsApp's ban in February 2026, officials have promoted Max as a "sovereign" alternative to Western messaging platforms. A reverse-engineering study revealed numerous surveillance features in Max, including VPN detection that restricts access until VPNs are disabled, real-time monitoring of contact lists, NFC control for manipulating the phone's NFC chip, silent message deletion, IP address tracking, a persistent hardware identifier, the creation of fake chats and reviews, and code injection capabilities. The study also found an on-device machine-learning system that detects keywords from audio input and the ability to record microphone audio during calls without user notification. Additionally, Max monitors access to foreign services and compiles sensitive user information into reports sent to analytics channels. The integration of Max is part of Moscow's broader initiative to consolidate internet traffic through state-controlled platforms, even reaching the International Space Station for communication purposes. Critics view the promotion of Max as part of a strategy to establish a "sovereign" communications system, raising concerns about digital privacy and freedom in Russia.

Winsage

May 13, 2026

Windows 11 security update fixes critical Bing and Azure flaws

Microsoft released its May 2026 Patch Tuesday updates for Windows 11, addressing 97 security vulnerabilities across various components, including Windows, Microsoft Office, Azure services, SQL Server, SharePoint, Hyper-V, and .NET. The updates are encapsulated in KB5089549 for Windows 11 versions 24H2 and 25H2, elevating systems to builds 26100.8457 and 26200.8457. Notable vulnerabilities include CVE-2026-32169, a critical flaw in Azure Cloud Shell with a CVSS score of 10.0, and CVE-2026-21536, a critical remote code execution vulnerability in the Microsoft Devices Pricing Program with a CVSS score of 9.8. Other critical vulnerabilities include CVE-2026-32191 and CVE-2026-32194, impacting Microsoft Bing Images, both with CVSS scores of 9.8. The update also addresses multiple Windows privilege escalation vulnerabilities and remote code execution vulnerabilities in Microsoft Office and Excel. Microsoft has warned of upcoming Secure Boot certificate expirations starting in June 2026 and has improved boot reliability related to BitLocker recovery issues. Users can install the updates via Settings → Windows Update, with a system restart required.

AppWizard

May 12, 2026

Google wants Gemini to take over how you browse in Chrome

Google will integrate its Gemini 3.1 AI into the Chrome toolbar for Android starting in June, allowing users to summarize articles, ask questions about content, and extract details without switching apps. Users can enable the "Personal Intelligence" feature for tailored responses based on personal preferences. The Nano Banana feature will let users create or modify visuals from web pages. The auto browse function will allow Chrome to perform tasks like reserving parking or updating orders automatically. These features will include security protections, but sensitive actions will still require user confirmation. Gemini in Chrome will require devices with at least 4GB of RAM, running Android 12 or newer, and set to English-U.S. The rollout will begin for select Android devices in the U.S. at the end of June, with the auto browse feature available initially only to AI Pro and Ultra subscribers.

AppWizard

April 30, 2026

LofyStealer Targets Minecraft Players via Node.js Loader and Browser Injection

Minecraft players are being targeted by a deceptive hacking tool called “Slinky,” which is actually an infostealer known as LofyStealer linked to the Brazilian cybercrime group LofyGang. The malware uses a Node.js-based loader and a C++ payload to extract sensitive browser data, disguising itself as a Minecraft hack. It primarily targets younger players who may unknowingly execute it. The malware operates through a two-stage architecture, with a 53.5 MB loader binary that injects a smaller 1.4 MB payload into browser processes, bypassing detection methods. It collects sensitive information such as cookies, passwords, and credit card details, compressing and encoding the data for exfiltration. The command-and-control (C2) infrastructure is hosted in Brazil, and the malware's design reflects advanced compilation techniques. The campaign is attributed to LofyGang, which has evolved into a more professional entity, posing severe risks to players who download cheats and cracked tools. Indicators of compromise include a specific C2 IP address and associated endpoints.