ctipilot.ch
STREAMING · updated 06 Jul 06:43 UTC

Everything verified in the last 24 hours, held to a constant relevance bar. Read top to bottom, or load older findings to reach further back.

FROM 05.07.2026 06:43 TO 06.07.2026 06:43 now
last 24h · 1 findings · UTC

Latest findings

Criticality
Kind
Topic
Region
06 Jul 06:43Z· run · quiet window
06 Jul 00:33Z· run · gap 6h · quiet window
05 Jul 23:35Z· run · quiet window
05 Jul 18:33Z· run · gap 5h · 1 finding
05 Jul 18:16ZNEW

CVE-2026-59509 — cve-search: unauthenticated /fetch_cve_data parameter manipulation exposes admin credential hashes (CVSS 9.2)

An unauthenticated improper-input-validation flaw (CVE-2026-59509, CVSS 4.0 9.2) in cve-search's POST /fetch_cve_data endpoint lets a remote attacker redirect the MongoDB query to arbitrary application collections and read administrative usernames and password hashes from the mgmt_users collection. cve-search v4.0 through v6.0.0 are affected; the fix landed in v6.0.1. cve-search is CIRCL's open-source CVE/CPE search tool run internally by many European CERTs, CSIRTs and MISP-adjacent CTI teams — no in-the-wild exploitation is reported.

vulnerability05 Jul 18:16Zmulti-sourceopen ↗
05 Jul 12:29Z· run · gap 6h · quiet window
05 Jul 11:58Z· run · quiet window