THE SHATTERED GATEWAY:
24 CRITICAL COMPROMISES

Disclosed on May 20, 2026 via security advisory **SA-CORE-2026-004**, this critical vulnerability exposes Drupal Core installations backed by a PostgreSQL database backend. Sites utilizing MySQL, MariaDB, or SQLite are unaffected.

The vulnerability lies in Drupal's database abstraction layer. When a PostgreSQL driver parses complex entity arrays (such as those generated during JSON:API lookups or exposed views filters), the system fails to sanitize associative array keys. Because the driver constructs SQL components dynamically by looping through parameter keys without binding them to placeholders, malicious array indexes are concatenated directly into execution commands.

This structural failure bypasses standard PHP PDO parameter shielding, allowing external unauthenticated threat actors to execute arbitrary SQL commands. Under post-exploitation scenarios, adversaries extract session tokens, retrieve administrator credential hashes, or execute command commands via PostgreSQL systems integration loops.

Langflow provides a graphical interface for developing AI agents. However, default installations of Langflow up to `1.6.9` set `allow_origins='*'` while simultaneously enabling `allow_credentials=True`. This direct violation of standard CORS security protocols allows dynamic origin pages to read responses from the Langflow interface.

The vulnerability triggers when developers who are authenticated to a local or corporate Langflow server visit a malicious external website. Since the Langflow refresh token endpoint utilizes permissive SameSite configurations, the external browser tab successfully transmits requests with active cookies to obtain fresh JWT tokens.

Once the threat actor's scripts read the fresh API tokens from response payloads, they issue authenticated API requests to upload custom Langflow Python components. By injecting system commands directly into execution routes, they gain complete Remote Code Execution on the system hosting the AI models.

Disclosed as actively exploited in the wild, this vulnerability affects the on-premise deployments of Trend Micro Apex One. The SaaS version is unaffected.

The flaw lies within the file routing parameters analyzed by the console's internal update services. Low-privilege users manipulate URL structures to bypass root folder restrictions, escaping the sandbox bounds of the application server.

By writing arbitrary configuration payloads directly into agent distribution paths, attackers drop untrusted binaries across all downstream systems. This allows threat actors to compromise thousands of connected local systems simultaneously.

AI assistants read active workspace files to provide code completions. When developers open repositories containing poisoned markdown files or code comments, the AI parses the hidden prompt instructions automatically.

These poisoned instructions hijack the assistant's behavior, instructing the tool to scan the developer's local environment files for sensitive details like AWS, GitHub, or GCP access keys.

Once gathered, the system exfiltrates the secrets to attacker-controlled destinations. This represents a silent supply chain risk that bypasses traditional file scanner controls.

Disclosed as a critical zero-day exploit, this flaw targets Citrix NetScaler interfaces. Remote unauthenticated actors can send malformed payload requests to trigger out-of-bounds buffer reads.

The memory leakage stems from an off-by-one check inside the system's SSL VPN parsing library. By packing TCP payloads with custom structures, the engine aligns heap memory arrays with active system logs.

Adversaries obtain active cookies, administrative passwords, and encrypted configuration data from subsequent response bytes, bypassing VPN perimeter validations entirely.

A path-traversal vulnerability in UniFi Network Application endpoints allows attackers to access restricted admin setup routines without valid credentials, resulting in network controller hijack.

The issue exists due to flawed sanitization protocols in the web API routing subsystem. By submitting custom directory traversal parameters, adversaries bypass credential checks.

Once accessed, unauthenticated actors alter administrative permissions, register rogue access nodes, and monitor private enterprise network activities.

By inputting system characters within support request fields, external unauthenticated actors trigger command execution on the underlying Linux host appliance.

The vulnerability stems from improper validation of input parameters before they are passed into shell processing modules. Attackers use common shell symbols to break out of text inputs.

This results in complete administrative access to the appliance host, allowing threat actors to manipulate active support sessions and compromise downstream user environments.

Chromium's V8 JIT compiler contains type confusion flaws. Attackers serve malformed scripts on targeted sites to execute shell commands directly on browser hosts.

The vulnerability targets JIT optimization arrays, tricking the rendering engine into handling variables as incorrect class definitions. This bypasses pointer protections.

By structuring Javascript inputs carefully, threat actors escape the browser sandbox and execute arbitrary binary structures with local user permissions.

Many coding plugins collect usage metrics. However, if plugins fail to filter active variables from system headers, they can exfiltrate production cloud tokens over the network.

Threat actors intercept or harvest metrics streams from third-party telemetry servers that lack strict validation. Unsanitized developer properties represent key leakage paths.

By collecting these metrics packets, adversaries reconstruct valid cloud credentials, gaining immediate unauthorized access to connected enterprise cloud resources.

Allows attackers to impersonate administrative user sessions by submitting custom cookies to `/common/login.php`, bypassing authentication entirely.

The vulnerability stems from a logical breakdown in the platform's authentication verification routines. When session cookies are parsed, the service maps missing variables to administrative parameters instead of throwing authorization errors.

By exploiting this flaw, external unauthenticated actors deploy rogue configuration profiles and execute arbitrary shell commands across all systems managed by the appliance.

RecoverPoint containers contain hardcoded administrative credentials. External actors can access management consoles via SSH and execute root-level commands.

The hardcoded credential profile resides within the system's container templates. Because these profiles cannot be updated or disabled using standard administrative menus, they represent a permanent backdoor.

By logging in via SSH, attackers gain root-level console control, compromising the host virtual machines and backup systems in adjacent virtualized environments.

Fails to validate input parameters sent to Langflow's visual workflow parser, allowing unauthenticated remote execution of host OS commands.

The vulnerability lies in the dynamic parsing engine used to compile workflow diagrams. When custom node variables are ingested, the system executes raw string expressions.

Adversaries leverage this by sending malformed HTTP payloads, executing commands on host operating systems, and capturing complete environment access.

A session validation bypass in Ivanti Connect Secure gateways allows unauthenticated attackers to write files to system paths, gaining remote command execution.

This issue combines input validation failures with permissive file write access on backend API routers. By routing requests around authentication steps, attackers inject custom script files into web directories.

This grants persistent backdoor access to the VPN concentrator host, letting threat actors intercept downstream network traffic and pivot into internal subnets.

Allows validators or telemetry node operators to capture blockspace parameters pre-execution, causing transaction front-running.

The vulnerability stems from unencrypted, unauthenticated metrics broadcasting protocols used by decentralized scheduling pools. Because peer nodes trust inbound telemetry variables without cryptographic verification, malicious nodes inject manipulated network lag parameters.

By delaying specific blockspace assignments, adversaries front-run transaction sequences, shifting profit yields away from users and creating consensus instability across adjacent shards.

Disclosed as a critical firewall vulnerability and actively exploited by state-sponsored actors, CVE-2025-0108 exposes PAN-OS administrative web portals to complete authentication bypasses. The flaw permits remote unauthenticated actors with network access to administrative interfaces to acquire full administrative privileges.

The vulnerability lies in the authorization validation filter pipelines of the web-based management server. By presenting specific HTTP request headers, adversaries trick internal verification modules into believing the request originated from trusted local loopback contexts, creating an active administrative session.

Once inside, threat actors modify network access rules, download system configurations containing private credentials, and establish persistent out-of-band communication tunnels, using the firewall as a backdoor into internal network zones.

This threat targets modern cloud architectures that utilize federated OpenID Connect (OIDC) identity providers, such as GitHub Actions, to assign dynamic access keys to automated workflows. The issue exists because enterprise cloud IAM role trust relationships fail to enforce specific claims constraints.

By using permissive configurations, trust structures accept wildcard tokens from any repository matching broad organization headers. Attackers leverage this by submitting fork pull requests containing malicious build actions to trigger token issuance.

The GitHub runner fetches an OIDC JSON Web Token (JWT) matching the permissive trust boundary, presenting it to AWS or GCP to request high-privilege credentials and compromise cloud environments.

Disclosed as a critical vulnerability and actively targeted during ransomware campaigns, CVE-2025-5001 impacts Veeam Backup & Replication services. It allows unauthenticated remote threat actors to run commands on the host appliance.

The vulnerability stems from improper validation of input streams by the service's internal TCP listener. When parsing serialized protocol buffers, the engine instantiates classes without validating boundaries, executing code directly in memory.

Adversaries exploit this flaw to execute system commands with administrative privileges, disable local security controls, and capture full command of corporate backup infrastructure.

As AI models are deployed across automated production pipelines, security perimeters have expanded. CVE-2026-4433 identifies an unsafe deserialization vector inside TensorFlow's Keras API, enabling Remote Code Execution.

The issue occurs when the `tf.keras.models.load_model` routine evaluates custom `Lambda` compilation layers. Because the framework parses executable Python scripts directly from serialized JSON arrays, malicious files run arbitrary commands on the system.

Adversaries upload poisoned models to public hubs like Hugging Face. When pipelines download and process these files, attackers gain complete host access, pivoting to cloud databases.

This critical vulnerability affects VMware hypervisors. Root users within guest virtual machines exploit the flaw to bypass memory boundaries and execute arbitrary commands on the ESXi host.

The problem resides in the SCSI disk emulation engine. By transmitting malformed request signals to virtual disk controllers, guest environments trigger heap-based buffer overflows.

Adversaries overwrite hypervisor memory spaces with custom binary payloads, escaping VM controls to take command of all virtualized infrastructure.

This threat targets container-based software compilation pipelines. When Docker-in-Docker is configured with permissive security options, unprivileged users leverage the setup to escape container limits.

By crafting custom repository pipelines that mount `/var/run/docker.sock` within build containers, attackers send execution instructions directly to the host operating system.

This grants unmitigated control of the host machine, bypassing container-level security boundaries entirely and letting threat actors modify active pipeline builds.

This vulnerability affects SolarWinds Access Rights Manager (ARM) instances. Unauthenticated remote actors with network access to the API endpoints exploit this vulnerability to execute commands as `SYSTEM`.

The flaw exists within the portal's communication modules, which process binary-formatted streams without adequate validation. Threat actors transmit malformed request parameters to trigger code execution.

Since the service runs with root permissions, compromised environments grant attackers total administrative control, compromising Active Directory infrastructures.

This supply chain vulnerability targets AI research workstations. Attackers upload poisoned model checkpoints to public directories, embedding malicious exfiltration routines.

The issue stems from the execution of unverified serialization files. When developers cache and load these models, hidden commands are parsed and executed by context-gathering tools.

Adversaries capture local credential variables and transmit them to external servers, gaining access to private corporate model repositories.

This client-side vulnerability impacts Apple's WebKit HTML rendering engine. Threat actors deliver exploit payloads through compromised websites to execute arbitrary code on user devices.

The flaw involves a type confusion issue within JIT optimization loops. Malformed scripts trigger incorrect memory allocation adjustments, allowing attackers to overwrite key variables.

Adversaries utilize this to escape local browser sandboxes and execute system-level commands, compromising user files and accessing local environments.

This critical vulnerability affects Kubernetes container orchestration perimeters. Bypassing authorization checks in Kubelet interfaces allows remote unauthenticated actors to access administrative endpoints.

The issue occurs due to failures in Kubelet's client certificate verification process. Attackers present specially structured certificates to bypass webhook authorization checks.

Once inside, adversaries query cluster node APIs to extract environment configuration variables and steal system tokens, gaining total control of connected cluster resources.