Tag: no-patch

All items tagged no-patch.

• CVE-2026-12789 — ILIAS 11.0: unpatched, PoC-public SQL injection in the learning-progress subsystem (DACH education exposure)
  in 2026-06-23
• "Squidbleed" — a 29-year-old heap over-read in Squid's FTP gateway leaks other users' cleartext HTTP credentials (CVE-2026-47729)
  in 2026-06-23
• Research: usbliter8 — an unpatchable SecureROM boot-chain exploit for Apple A12/A13 silicon
  in 2026-W25
• Chaotic Eclipse / Nightmare Eclipse zero-day wave — RoguePlanet (CVE-2026-50656) still unpatched, PoC works on June builds
  in 2026-W25
• UPDATE: Nightmare/Chaotic Eclipse zero-day wave — the Defender LPE now carries a CVE, a public PoC, and Microsoft's "Exploitation More Likely" rating, with no patch
  in 2026-06-19
• "GreatXML": unpatched BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested
  in 2026-06-12
• "RoguePlanet" Microsoft Defender zero-day: TOCTOU race in the scan engine yields a SYSTEM shell, no CVE, no patch
  in 2026-06-11
• CVE-2026-49200 / CVE-2026-49201 — Acer Wave-7 mesh routers: cleartext-credential log + hardcoded backup key, CVSS 10.0, no patch
  in 2026-06-08
• CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: no-patch zero-day chain confirmed to push malicious configs to edge devices
  in 2026-W23
• CVE-2026-34906 / CVE-2026-34907 — Simple SA "Wirtualna Uczelnia": unauthenticated SSTI-to-RCE in the student-administration platform used across Polish public universities
  in 2026-06-05
• Huntress: Windows `search:` URI handler leaks NTLMv2 hashes — Microsoft declines to patch
  in 2026-06-04
• CVE-2026-44825 — Apache Solr: unauthenticated admin via hardcoded template credentials, no patch yet
  in 2026-06-02
• UPDATE: Nightmare Eclipse / Chaotic Eclipse — Microsoft's Digital Crimes Unit threatens criminal action; GreenPlasma and MiniPlasma (`cldflt.sys` SYSTEM escalation) remain unpatched; researcher announces July 14 drop
  in 2026-05-30
• Rapid7 publishes unpatched Gogs argument-injection RCE with a Metasploit module; maintainer non-responsive
  in 2026-05-29
• CVE-2026-9642 — Delta Electronics DIAView SCADA: incomplete fix for prior unauthenticated remote database access (CVE-2025-62582) [SINGLE-SOURCE]
  in 2026-05-27
• Chaotic Eclipse / Nightmare Eclipse — MiniPlasma confirmed SYSTEM on a fully-patched Windows 11; sixth zero-day in six weeks
  in 2026-W22
• CVE-2026-45829 — ChromaDB Python FastAPI server: pre-auth RCE via embedding-function model loading before auth check (CVSS 4.0 = 10.0; still unpatched in v1.5.9)
  in 2026-05-21
• Drupal core "highly critical" pre-patch warning — unauthenticated, zero-complexity, patch window today 17:00–21:00 UTC
  in 2026-05-20
• Sparx Enterprise Architect / Pro Cloud Server — five-CVE chain (pre-auth SQL injection + WebEA race-condition RCE), public PoC, no vendor patch
  in 2026-05-20
• Huawei VRP enterprise-router zero-day caused POST Luxembourg nationwide telecom outage (July 2025) — no CVE filed 10 months later [SINGLE-SOURCE]
  in 2026-05-20
• UPDATE: CVE-2026-45585 (YellowKey) — Microsoft formally assigns CVE and publishes WinRE mitigation
  in 2026-05-20
• UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC in series; cldflt.sys CfAbortHydration path, claimed re-exploitable CVE-2020-17103 regression
  in 2026-05-19
• UPDATE: CVE-2026-42897 Exchange OWA — EM Service auto-mitigation depends on outbound connectivity to `officemitigations.microsoft.com`
  in 2026-05-18
• Windows "Chaotic Eclipse" zero-day proliferation — YellowKey, GreenPlasma, MiniPlasma
  in 2026-W21
• CVE-2026-45829 — ChromaDB Python server: pre-auth RCE before the auth check, still unpatched
  in 2026-W21
• CVE-2026-42096 … -42100 — Sparx Enterprise Architect / Pro Cloud Server: five-CVE pre-auth chain, public PoC, no patch
  in 2026-W21
• Microsoft Exchange CVE-2026-42897 — actively-exploited OWA stored-XSS, no permanent patch, Pwn2Own three-bug chain compounds the picture
  in 2026-W20
• Windows BitLocker "YellowKey" + CTFMON "GreenPlasma" — public PoC, no patch, TPM-only BitLocker bypassed
  in 2026-W20
• Microsoft Exchange CVE-2026-42897 OWA-XSS — same-week compounding with the DEVCORE Pwn2Own chain
  in 2026-W20
• Windows BitLocker "YellowKey" and CTFMON "GreenPlasma" — public PoC, no patch
  in 2026-W20
• UPDATE: Exchange CVE-2026-42897 — Pwn2Own DEVCORE three-bug SYSTEM RCE chain emerges alongside active OWA-XSS exploitation
  in 2026-05-17
• CVE-2026-42897 — Microsoft Exchange Server 2016 / 2019 / SE: stored XSS in OWA, actively exploited, no permanent patch
  in 2026-05-16
• Windows BitLocker "YellowKey" and CTFMON "GreenPlasma" zero-days: public PoC, no patch, TPM-only BitLocker bypassed
  in 2026-05-15
• CVE-2026-0300 — Palo Alto PAN-OS Captive Portal unauthenticated root RCE; CL-STA-1132 active since 2026-04-09; no patch until 2026-05-13
  in 2026-W19
• CL-STA-1132 — PAN-OS CVE-2026-0300 exploitation cluster: disclosure-to-deadline-to-deadline-expiry inside the window
  in 2026-W19
• BSI flags Netgate pfSense Community Edition as critical-unpatched — CVE-2025-69690 / CVE-2025-69691 authenticated root RCE, vendor refuses to fix
  in 2026-05-11
• Restrict pfSense CE management interfaces; assume no patch is coming
  in 2026-05-11