PULSE
LIVE17signals / 24h
FEED
ransomdoommageddon reclama a Reni Farmácias Associadas · BR · Healthcareransomunsafe reclama a CCR Solutions · BR · Business Servicesransomqilin reclama a PP+K · BR · Not Foundransomqilin reclama a Eana · AR · Not Foundransomqilin reclama a Synergy Products · TR · Not Foundransomnova reclama a meralmanisa · TR · Not Foundransomnova reclama a Dephub · ID · Not Foundransomnova reclama a Jota Joias Premium · BR · Consumer Servicesransomqilin reclama a Don Tortaco Mexican Grill · US · Hospitality and Tourismransomqilin reclama a Associated Theatrical Contractors · US · Business Servicesransompayload reclama a CKR Consulting Engineers · Business Servicesransomblackout reclama a yano.tokyo · JP · Technologyransomblackout reclama a www.miatech.net · US · Technologyransomblackout reclama a bluebellgroup.com · GB · Not Foundransomdoommageddon reclama a Reni Farmácias Associadas · BR · Healthcareransomunsafe reclama a CCR Solutions · BR · Business Servicesransomqilin reclama a PP+K · BR · Not Foundransomqilin reclama a Eana · AR · Not Foundransomqilin reclama a Synergy Products · TR · Not Foundransomnova reclama a meralmanisa · TR · Not Foundransomnova reclama a Dephub · ID · Not Foundransomnova reclama a Jota Joias Premium · BR · Consumer Servicesransomqilin reclama a Don Tortaco Mexican Grill · US · Hospitality and Tourismransomqilin reclama a Associated Theatrical Contractors · US · Business Servicesransompayload reclama a CKR Consulting Engineers · Business Servicesransomblackout reclama a yano.tokyo · JP · Technologyransomblackout reclama a www.miatech.net · US · Technologyransomblackout reclama a bluebellgroup.com · GB · Not Found
← All CVEs
CVE WatchJul 14, 2026

CVE-2026-57951

Mythic before 3.4.0.60 contains a broken hasura permission filter on the payload_build_step table with an always-satisfied _or condition tha

CVSS

6.5

Medium

EPSS

0.2%

p16

KEV

Exploit Today

5

0-100

Published: Jun 29, 2026 · Last modified: Jul 14, 2026 · CWE-863

EPSS · 30d
0.2%EPSS · 30 days0.3%
2026-06-302026-07-19
Technical description

Mythic before 3.4.0.60 contains a broken hasura permission filter on the payload_build_step table with an always-satisfied _or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payload_build_step to read step_stdout, step_stderr, step_name, and step_description across all operations on the server.

Official references
Related CVEs
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-350298.8 HIG
97.8%
29LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.5d
CVE-2026-479967.6 HIG
96.9%
29Adobe Commerce is affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction. Scope is changed.4d
CVE-2025-324622.8 LOW
86.9%
26Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.5d
CVE-2021-289367.5 HIG
78.9%
24The Acexy Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) Web management administrator password can be changed by sending a specially crafted HTTP GET request. The administrator username has to be known (default:admin) whereas no previous authentication is required.11d
CVE-2021-406397.5 HIG
64.4%
19Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js.11d
CVE-2022-366348.8 HIG
59.9%
18An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request.11d