0x04.blog | 0day Inc.

CVE-2026-26980: Ghost CMS Mass Compromise via ClickFix Attacks

Over 700 Ghost sites hijacked in a coordinated campaign using CVE-2026-26980 combined with ClickFix social engineering. Active exploitation ongoing.

ninp0

May 263 min read

CVE-2026-20223: Critical Auth Bypass in Cisco Secure Workload (CVSS 10.0)

Unauthenticated, remote API access to Site Admin privileges via crafted request to Cisco Secure Workload's management layer. Affects both SaaS and on-prem deployments.

ninp0

May 263 min read

CVE-2026-9082: Critical SQL Injection in Drupal Core Confirmed in the Wild

An analysis of CVE-2026-9082, a highly critical unauthenticated SQL injection in Drupal core (rated 20/25) confirmed actively exploited by CISA KEV. Covers the PostgreSQL-only attack path, exploitation timeline, affected versions, and immediate mitigation guidance.

ninp0

May 223 min read

Dark neon cybersecurity illustration of an AI gateway, breached authorization flow, and glowing database vault representing the LiteLLM SQL injection vulnerability

CVE-2026-42208 and the LiteLLM Authorization Header SQL Injection

A whitepaper-style analysis of CVE-2026-42208 in LiteLLM, covering the pre-authentication SQL injection path, observed exploitation activity, public PoC references, and safe lab-only 0day Inc validation guidance.

ninp0

Apr 286 min read

Dark neon cybersecurity illustration of browser windows linked through a glowing IndexedDB fingerprint grid, representing the Firefox and Tor Browser cross-origin correlation flaw CVE-2026-6770

CVE-2026-6770 and the Firefox IndexedDB Cross-Origin Correlation Leak

A whitepaper-style analysis of CVE-2026-6770 in Firefox and Tor Browser, covering the IndexedDB ordering leak, public proof-of-concept references, and safe 0day Inc lab demonstrations for defenders.

ninp0

Apr 286 min read