remote code execution Archives

Tech Optimizer

May 23, 2026

CVE-2026-9082: Critical Drupal Core SQLi Flaw

Drupal has issued critical security updates for a vulnerability in Drupal Core, identified as CVE-2026-9082, which affects sites using PostgreSQL databases. This flaw allows anonymous attackers to exploit the system through arbitrary SQL injection, posing risks such as sensitive information disclosure, privilege escalation, and remote code execution. The vulnerability is rated 20 out of 25 by Drupal and 6.5 out of 10 by CVE.org. It specifically impacts the database abstraction API, which fails to properly sanitize queries. The fixed versions include 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10, with best-effort patches available for unsupported versions 9.5 and 8.9. Organizations are advised to inventory their Drupal installations, verify PostgreSQL usage, and prioritize patching for public-facing sites.

Winsage

May 22, 2026

Microsoft says public sharing of Windows 11 vulnerability violates ‘best practices’

A security researcher known as Nightmare-Eclipse revealed a vulnerability in Windows 11, named YellowKey, which allows attackers to access BitLocker-encrypted drives through the Windows Recovery Environment. Microsoft acknowledged the vulnerability, assigned it the identifier CVE-2026-45585, and criticized the public sharing of its proof of concept. Currently, there is no patch available for the BitLocker bypass, but physical access to the device provides some protection. The vulnerability does not exist in Windows 10 due to differences in the Windows Recovery Environment. The attack requires a stolen Windows 11 laptop and a USB stick, and the vulnerable filesystems include NTFS, FAT32, and exFAT. Nightmare-Eclipse speculated that the bypass may function as a backdoor, while Microsoft referred to it as a "security feature bypass vulnerability."

Tech Optimizer

May 21, 2026

CVE-2024-55638: Highly Critical Drupal Core Vulnerability Threatens PostgreSQL Sites with Remote Code Execution (RCE)

A critical vulnerability, CVE-2024-55638, has been identified in Drupal Core, affecting installations using PostgreSQL as their backend database. This vulnerability involves PHP Object Injection, which can lead to full Remote Code Execution (RCE) when combined with another deserialization flaw. It cannot be exploited independently but increases the risk for Drupal installations that use third-party modules or custom code that improperly employs the unserialize() function. The affected versions include Drupal Core 7.x prior to 7.102, 8.0.0 and above prior to 10.2.11, and 10.3.0 prior to 10.3.9, with patched versions being 7.102, 10.2.11, and 10.3.9. The vulnerability is particularly relevant for sites using PostgreSQL, and organizations are urged to upgrade to the patched versions and audit their code for unsafe unserialize() usage. Currently, there are no confirmed reports of exploitation in the wild, but the risk remains high due to insecure deserialization bugs in third-party modules. The EPSS score for this vulnerability is 9.93%, indicating a significant likelihood of exploitation in the near future.

Tech Optimizer

May 21, 2026

PostgreSQL Flaws Expose Databases to Remote Code Execution and SQL Injection

PostgreSQL has released versions 18.4, 17.10, 16.14, 15.18, and 14.23 to address 11 security vulnerabilities and over 60 bugs. The vulnerabilities affect PostgreSQL versions 14 through 18 and include issues such as remote code execution, SQL injection, and denial-of-service risks. Specific vulnerabilities include: - CVE-2026-6472: Missing authorization in CREATE TYPE allows query hijacking. - CVE-2026-6473: Integer wraparound leads to out-of-bounds writes and server crashes. - CVE-2026-6474: Format string issue leaks server memory. - CVE-2026-6475: Symlink attack allows overwriting arbitrary files. - CVE-2026-6476: SQL injection allows execution of arbitrary SQL as superuser. - CVE-2026-6477: Memory buffer overwrite via libpq lo_* functions. - CVE-2026-6478: Timing attack exposes MD5-hashed passwords. - CVE-2026-6479: SSL/GSS recursion flaw allows denial-of-service. - CVE-2026-6575: Buffer over-read leaks memory data (PostgreSQL 18 only). - CVE-2026-6637: Refint module enables stack overflow and SQL injection, leading to possible RCE. - CVE-2026-6638: SQL injection in REFRESH PUBLICATION via table names. Organizations are advised to upgrade to the latest versions, avoid MD5 password authentication, restrict privileges, audit extensions, and monitor for abnormal activity. PostgreSQL 14 will reach its end-of-life on November 12, 2026.

Tech Optimizer

May 20, 2026

PoC Exploit Released for 20-Year Old PostgreSQL RCE Vulnerability

A proof-of-concept exploit has been developed for CVE-2026-2005, a remote code execution vulnerability in the pgcrypto extension of PostgreSQL. This vulnerability, stemming from legacy code, allows attackers to trigger a heap-based buffer overflow through specially crafted PGP messages, enabling arbitrary memory read and write operations. Successful exploitation can escalate privileges to PostgreSQL superuser status and execute commands on the operating system. The exploit targets PostgreSQL instances compiled from a specific vulnerable commit and circumvents protections like Address Space Layout Randomization (ASLR). It involves corrupting heap memory structures, leading to a controlled pointer leak that reveals the heap layout. Security researcher Varik Matevosyan has published the PoC on GitHub, demonstrating the exploitation process. The exploit requires a compatible PostgreSQL binary and utilizes Python-based tools for interaction. Organizations are advised to review their PostgreSQL deployments, disable unnecessary extensions, and apply security updates to mitigate risks.

Tech Optimizer

May 19, 2026

20-Year-Old PostgreSQL Flaw Gets Public PoC Exploit for Remote Code Execution

A proof-of-concept exploit for CVE-2026-2005 has been released, highlighting a significant vulnerability in the PostgreSQL pgcrypto extension that allows for remote code execution (RCE). This flaw, rooted in legacy code for nearly 20 years, enables attackers to escalate privileges and execute arbitrary commands on compromised servers. The vulnerability is found in the PGP session key parsing logic of the pgcrypto module and involves a heap-based buffer overflow, granting attackers arbitrary read and write access to memory. The exploit, shared by researcher “var77” on GitHub, demonstrates a multi-stage process that bypasses modern security measures like Address Space Layout Randomization (ASLR) using specially crafted PGP messages. The attack involves several steps, including heap pointer leakage, arbitrary memory read, identification of executable memory regions, and privilege escalation to the PostgreSQL superuser level, ultimately allowing the execution of OS-level commands. The vulnerability affects PostgreSQL deployments with the pgcrypto extension enabled, particularly those using vulnerable code versions. Successful exploitation can lead to full database compromise, unauthorized data access or modification, and potential lateral movement within networks. Organizations are advised to update PostgreSQL, restrict pgcrypto usage, limit user privileges, and monitor for unusual activity to mitigate risks.

Tech Optimizer

May 19, 2026

PoC Released for 20-Year Old PostgreSQL RCE Flaw

A public proof-of-concept exploit has been released for CVE-2026-2005, a critical heap-based buffer overflow vulnerability in PostgreSQL's pgcrypto extension, allowing full remote code execution and privilege escalation to the database superuser level. This vulnerability has existed since 2005 and was discovered by an AI-powered security tool during the ZeroDay.Cloud 2025 event in December 2025. An upstream patch was committed on February 8, 2026, and released on February 12, 2026. The vulnerability has a CVSS score of 8.8 and affects approximately 80% of cloud environments using PostgreSQL, with 45% accessible via the internet. The flaw is in the pgp_parse_pubenc_sesskey() function, which lacks bounds checking, allowing attackers to manipulate session key lengths. The pgcrypto extension can be installed by any database role with CREATE privileges, increasing the risk of exploitation. The proof-of-concept exploit involves an information leak, arbitrary write, and privilege escalation to remote code execution. The vulnerability affects all major versions of PostgreSQL prior to the February 2026 releases, which include versions 18.2, 17.8, 16.12, 15.16, and 14.21. Mitigation steps include upgrading to patched versions, restricting CREATE privileges, blocking direct internet exposure, rotating database credentials, auditing the usage of COPY FROM PROGRAM, and verifying patched engine versions for cloud-managed PostgreSQL users.

Tech Optimizer

May 19, 2026

Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections

The PostgreSQL Global Development Group has released security updates for versions 18.4, 17.10, 16.14, 15.18, and 14.23, addressing 11 vulnerabilities, including critical issues related to arbitrary code execution and SQL injection flaws. All supported branches from 14 through 18 are affected by vulnerabilities, necessitating updates. Database administrators can perform in-place upgrades without needing a dump/restore. Key vulnerabilities include: - CVE-2026-6637: Stack buffer overflow in the refint module allowing arbitrary code execution. - CVE-2026-6472: Privilege bypass and arbitrary SQL execution. - CVE-2026-6473: Potential remote code execution and memory corruption. - CVE-2026-6474: Server memory information leak. - CVE-2026-6475: Arbitrary file overwrite vulnerability. - CVE-2026-6476: SQL injection with superuser execution. - CVE-2026-6477: Client-side code execution risk. - CVE-2026-6478: MD5 credential timing leak. - CVE-2026-6479: SSL/GSS denial-of-service flaw. - CVE-2026-6575: Limited memory disclosure issue. - CVE-2026-6638: SQL injection in logical replication. Organizations using PostgreSQL 14 should upgrade to version 14.23 and plan migration to a newer version before the end-of-life on November 12, 2026. The updates are urgent for deployments exposed to the internet or in multi-tenant environments.

Winsage

May 16, 2026

Windows 11 and Microsoft Edge Hacked at Pwn2Own Berlin 2026

On May 14, Pwn2Own Berlin 2026 began, where researchers earned ,000 for 24 unique zero-day vulnerabilities. Cheng-Da Tsai, also known as Orange Tsai, achieved a significant Edge sandbox escape, earning ,000, and later exploited Microsoft Exchange for remote code execution, earning an additional ,000. Tsai accumulated 17.5 Master of Pwn points, contributing to DEVCORE's lead with ,000 in total earnings. Other researchers, including Angelboy and TwinkleStar03, earned ,000 for an Improper Access Control vulnerability, while Marcin Wiązowski and Kentaro Kawane also contributed successful exploits. By the end of Day One, DEVCORE led with ,000, and the event featured a prize pool exceeding ,000,000 across 31 targets. As of Day Two, a total of ,750 had been awarded for 39 unique vulnerabilities, with DEVCORE leading at 40.5 points and ,000 in earnings.

Winsage

May 15, 2026

Windows DNS Client Security Flaw Exposes Systems to Remote Code Execution

Windows systems are threatened by a vulnerability in the Windows DNS Client, identified as CVE-2026-41096, which allows remote code execution without user intervention. It has a CVSS base score of 9.8, indicating high severity. The flaw is a heap-based buffer overflow in the dnsapi.dll component, enabling unauthenticated remote attackers to execute arbitrary code. Exploitation requires sending a specially crafted DNS response to a vulnerable system, potentially leading to complete control over the host. Affected systems include supported versions of Windows 11 and Windows Server 2022/2025. Microsoft released security updates on May 12, 2026, and administrators are advised to apply these patches and reboot systems. Despite the severity, Microsoft currently classifies exploitation as “Exploitation Unlikely,” with no known public exploits or in-the-wild attacks.