RCE Archives

Tech Optimizer

May 21, 2026

CVE-2024-55638: Highly Critical Drupal Core Vulnerability Threatens PostgreSQL Sites with Remote Code Execution (RCE)

A critical vulnerability, CVE-2024-55638, has been identified in Drupal Core, affecting installations using PostgreSQL as their backend database. This vulnerability involves PHP Object Injection, which can lead to full Remote Code Execution (RCE) when combined with another deserialization flaw. It cannot be exploited independently but increases the risk for Drupal installations that use third-party modules or custom code that improperly employs the unserialize() function. The affected versions include Drupal Core 7.x prior to 7.102, 8.0.0 and above prior to 10.2.11, and 10.3.0 prior to 10.3.9, with patched versions being 7.102, 10.2.11, and 10.3.9. The vulnerability is particularly relevant for sites using PostgreSQL, and organizations are urged to upgrade to the patched versions and audit their code for unsafe unserialize() usage. Currently, there are no confirmed reports of exploitation in the wild, but the risk remains high due to insecure deserialization bugs in third-party modules. The EPSS score for this vulnerability is 9.93%, indicating a significant likelihood of exploitation in the near future.

Tech Optimizer

May 21, 2026

Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks

Drupal has announced critical security updates for a vulnerability in Drupal Core, identified as CVE-2026-9082, which allows attackers to execute remote code, escalate privileges, or disclose sensitive information. The vulnerability has a CVSS score of 6.5 and affects only sites using PostgreSQL databases. It can be exploited by anonymous users and is rooted in a database abstraction API used for query validation and SQL injection prevention. Updates have been released for the following versions: - Drupal 11.3.10 - Drupal 11.2.12 - Drupal 11.1.10 - Drupal 10.6.9 - Drupal 10.5.10 - Drupal 10.4.10 Drupal 7 is not impacted by this vulnerability. Users on unsupported versions 9 and 8 can access manual patches for: - Drupal 9.5 - Drupal 8.9 Drupal has stated that versions 11.1.x, 11.0.x, and 10.4.x and below are end-of-life and do not receive security coverage, and that both Drupal 8 and 9 have reached end-of-life status. Patches for unsupported versions are provided as a best effort, but users should be aware of potential other vulnerabilities.

Tech Optimizer

May 21, 2026

PostgreSQL Flaws Expose Databases to Remote Code Execution and SQL Injection

PostgreSQL has released versions 18.4, 17.10, 16.14, 15.18, and 14.23 to address 11 security vulnerabilities and over 60 bugs. The vulnerabilities affect PostgreSQL versions 14 through 18 and include issues such as remote code execution, SQL injection, and denial-of-service risks. Specific vulnerabilities include: - CVE-2026-6472: Missing authorization in CREATE TYPE allows query hijacking. - CVE-2026-6473: Integer wraparound leads to out-of-bounds writes and server crashes. - CVE-2026-6474: Format string issue leaks server memory. - CVE-2026-6475: Symlink attack allows overwriting arbitrary files. - CVE-2026-6476: SQL injection allows execution of arbitrary SQL as superuser. - CVE-2026-6477: Memory buffer overwrite via libpq lo_* functions. - CVE-2026-6478: Timing attack exposes MD5-hashed passwords. - CVE-2026-6479: SSL/GSS recursion flaw allows denial-of-service. - CVE-2026-6575: Buffer over-read leaks memory data (PostgreSQL 18 only). - CVE-2026-6637: Refint module enables stack overflow and SQL injection, leading to possible RCE. - CVE-2026-6638: SQL injection in REFRESH PUBLICATION via table names. Organizations are advised to upgrade to the latest versions, avoid MD5 password authentication, restrict privileges, audit extensions, and monitor for abnormal activity. PostgreSQL 14 will reach its end-of-life on November 12, 2026.

Tech Optimizer

May 20, 2026

PoC Exploit Released for 20-Year Old PostgreSQL RCE Vulnerability

A proof-of-concept exploit has been developed for CVE-2026-2005, a remote code execution vulnerability in the pgcrypto extension of PostgreSQL. This vulnerability, stemming from legacy code, allows attackers to trigger a heap-based buffer overflow through specially crafted PGP messages, enabling arbitrary memory read and write operations. Successful exploitation can escalate privileges to PostgreSQL superuser status and execute commands on the operating system. The exploit targets PostgreSQL instances compiled from a specific vulnerable commit and circumvents protections like Address Space Layout Randomization (ASLR). It involves corrupting heap memory structures, leading to a controlled pointer leak that reveals the heap layout. Security researcher Varik Matevosyan has published the PoC on GitHub, demonstrating the exploitation process. The exploit requires a compatible PostgreSQL binary and utilizes Python-based tools for interaction. Organizations are advised to review their PostgreSQL deployments, disable unnecessary extensions, and apply security updates to mitigate risks.

Tech Optimizer

May 19, 2026

20-Year-Old PostgreSQL Flaw Gets Public PoC Exploit for Remote Code Execution

A proof-of-concept exploit for CVE-2026-2005 has been released, highlighting a significant vulnerability in the PostgreSQL pgcrypto extension that allows for remote code execution (RCE). This flaw, rooted in legacy code for nearly 20 years, enables attackers to escalate privileges and execute arbitrary commands on compromised servers. The vulnerability is found in the PGP session key parsing logic of the pgcrypto module and involves a heap-based buffer overflow, granting attackers arbitrary read and write access to memory. The exploit, shared by researcher “var77” on GitHub, demonstrates a multi-stage process that bypasses modern security measures like Address Space Layout Randomization (ASLR) using specially crafted PGP messages. The attack involves several steps, including heap pointer leakage, arbitrary memory read, identification of executable memory regions, and privilege escalation to the PostgreSQL superuser level, ultimately allowing the execution of OS-level commands. The vulnerability affects PostgreSQL deployments with the pgcrypto extension enabled, particularly those using vulnerable code versions. Successful exploitation can lead to full database compromise, unauthorized data access or modification, and potential lateral movement within networks. Organizations are advised to update PostgreSQL, restrict pgcrypto usage, limit user privileges, and monitor for unusual activity to mitigate risks.

Tech Optimizer

May 19, 2026

PoC Released for 20-Year Old PostgreSQL RCE Flaw

A public proof-of-concept exploit has been released for CVE-2026-2005, a critical heap-based buffer overflow vulnerability in PostgreSQL's pgcrypto extension, allowing full remote code execution and privilege escalation to the database superuser level. This vulnerability has existed since 2005 and was discovered by an AI-powered security tool during the ZeroDay.Cloud 2025 event in December 2025. An upstream patch was committed on February 8, 2026, and released on February 12, 2026. The vulnerability has a CVSS score of 8.8 and affects approximately 80% of cloud environments using PostgreSQL, with 45% accessible via the internet. The flaw is in the pgp_parse_pubenc_sesskey() function, which lacks bounds checking, allowing attackers to manipulate session key lengths. The pgcrypto extension can be installed by any database role with CREATE privileges, increasing the risk of exploitation. The proof-of-concept exploit involves an information leak, arbitrary write, and privilege escalation to remote code execution. The vulnerability affects all major versions of PostgreSQL prior to the February 2026 releases, which include versions 18.2, 17.8, 16.12, 15.16, and 14.21. Mitigation steps include upgrading to patched versions, restricting CREATE privileges, blocking direct internet exposure, rotating database credentials, auditing the usage of COPY FROM PROGRAM, and verifying patched engine versions for cloud-managed PostgreSQL users.

Tech Optimizer

May 19, 2026

Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections

The PostgreSQL Global Development Group has released security updates for versions 18.4, 17.10, 16.14, 15.18, and 14.23, addressing 11 vulnerabilities, including critical issues related to arbitrary code execution and SQL injection flaws. All supported branches from 14 through 18 are affected by vulnerabilities, necessitating updates. Database administrators can perform in-place upgrades without needing a dump/restore. Key vulnerabilities include: - CVE-2026-6637: Stack buffer overflow in the refint module allowing arbitrary code execution. - CVE-2026-6472: Privilege bypass and arbitrary SQL execution. - CVE-2026-6473: Potential remote code execution and memory corruption. - CVE-2026-6474: Server memory information leak. - CVE-2026-6475: Arbitrary file overwrite vulnerability. - CVE-2026-6476: SQL injection with superuser execution. - CVE-2026-6477: Client-side code execution risk. - CVE-2026-6478: MD5 credential timing leak. - CVE-2026-6479: SSL/GSS denial-of-service flaw. - CVE-2026-6575: Limited memory disclosure issue. - CVE-2026-6638: SQL injection in logical replication. Organizations using PostgreSQL 14 should upgrade to version 14.23 and plan migration to a newer version before the end-of-life on November 12, 2026. The updates are urgent for deployments exposed to the internet or in multi-tenant environments.

Winsage

May 14, 2026

Microsoft unveils MDASH, its AI agent-driven security platform — and it’s already spotted a host of new Windows flaws

Microsoft has introduced MDASH, a platform that enhances vulnerability discovery using artificial intelligence, developed by the Autonomous Code Security Team and the Windows Attack Research and Protection group. MDASH has identified 16 previously unknown vulnerabilities in various Windows components, including four critical remote code execution vulnerabilities (CVE‑2026‑33827 and CVE‑2026‑33824). The platform achieved zero false positives during testing and is currently used internally at Microsoft and in a private preview for select partners.

Winsage

May 13, 2026

Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilities

Microsoft's May 2026 security update addresses 137 vulnerabilities, with 31 classified as critical. None of these critical vulnerabilities are currently being exploited in active attacks. Sixteen of the critical vulnerabilities involve remote code execution (RCE) issues in Microsoft products, including Microsoft Office, Microsoft Word, and Azure. Specific vulnerabilities include: - CVE-2026-32161: A use-after-free vulnerability in the Windows Native WiFi Miniport Driver. - CVE-2026-40358: A use-after-free vulnerability in Microsoft Office. - CVE-2026-41089: A stack-based buffer overflow in Windows Netlogon. Additional important vulnerabilities flagged include: - CVE-2026-33835: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability. - CVE-2026-33837: Windows TCP/IP Local Elevation of Privilege Vulnerability. - CVE-2026-35416: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability. Talos is releasing a new Snort ruleset to detect attempts to exploit these vulnerabilities, and users are advised to update their Cisco Security Firewalls and acquire the latest rule pack via Snort.org.

Winsage

May 5, 2026

Unpatched flaws turn Ollama’s auto-updater into a persistent RCE vector, researchers say

Researchers at Striga have identified two vulnerabilities (CVE-2026-42248 and CVE-2026-42249) in Ollama’s Windows auto-updater that could allow an attacker to install a persistent executable that runs at user login. CVE-2026-42248 fails to properly verify signatures of downloaded content, while CVE-2026-42249 is a path traversal flaw that allows an attacker to inject malicious code into the user's Startup folder. Exploitation requires control over the update response, with potential methods including compromising the update infrastructure or redirecting the client. The vulnerabilities affect Ollama versions 0.12.10 through 0.17.5, and users are advised to disable auto-updates and remove shortcuts from the Startup folder to mitigate risks.