ZeroPath Blog & Research
Explore our team's latest research and stay up to date with ZeroPath's capabilities.

CVE Analysis
•2026-05-29
•10 min read
OpenShift Router CVE-2026-42965: Cloud Metadata SSRF via FQDN EndpointSlice Bypass — Quick Look
A brief summary of CVE-2026-42965, a high severity SSRF vulnerability in the OpenShift Router that allows users with EndpointSlice write access to bypass IP validation by using FQDN typed endpoints that resolve to cloud metadata addresses, potentially exposing instance credentials.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-29
•9 min read
Home Assistant Companion App CVE-2026-44698: Quick Look at Cross-Origin Token Exfiltration via WebView JavaScript Bridge
A brief summary of CVE-2026-44698, a high severity vulnerability in the Home Assistant Companion apps for Android and iOS where a cross-origin iframe can exploit the WebView JavaScript bridge to steal the signed-in user's OAuth access token.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-29
•9 min read
Brief Summary: CVE-2026-44962, Critical XPath Injection to Root in Plesk APS Catalog
A brief summary of CVE-2026-44962, a CVSS 9.9 XPath injection vulnerability in Plesk's APS Application Catalog that allows any authenticated low privileged user to escalate to root through arbitrary OS command execution.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-29
•10 min read
OpenShift Router CVE-2026-46579: mTLS Authentication Bypass via Header Spoofing on HTTP Frontend
A brief summary of CVE-2026-46579, a CVSS 7.4 authentication bypass in the OpenShift Router where the HTTP frontend fails to strip X-SSL-Client headers, allowing unauthenticated attackers to spoof mTLS client certificate identities on routes configured with insecureEdgeTerminationPolicy set to Allow.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-29
•10 min read
Quick Look: CVE-2026-48501 — GitHub CLI Token Leakage via Flawed Host Normalization in TUF Verification Commands
A brief summary of CVE-2026-48501, a high severity token leakage vulnerability in GitHub CLI where flawed host normalization causes authentication tokens to be sent to external, non-GitHub hosts during attestation and release verification commands. Patch information and affected versions are included.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-29
•8 min read
Brief Summary: JetBrains IntelliJ IDEA CVE-2026-49366 Command Injection via Filename Completion
A short review of CVE-2026-49366, a high severity command injection vulnerability in JetBrains IntelliJ IDEA that allows arbitrary OS command execution through the IDE's filename completion feature, affecting all versions before 2026.1.1.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-29
•8 min read
Brief Summary: CVE-2026-49367 — JetBrains IntelliJ IDEA Guest User Command Execution via Missing Authorization in Code With Me
A short review of CVE-2026-49367, a high severity missing authorization flaw in JetBrains IntelliJ IDEA's Code With Me feature that allows guest users to execute commands on the host machine regardless of their assigned permission level.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-29
•10 min read
Quick Look: CVE-2026-49372 — Unauthenticated SSRF in JetBrains TeamCity Build Status
A brief summary of CVE-2026-49372, an unauthenticated Server-Side Request Forgery vulnerability in JetBrains TeamCity On-Premises triggered via the build status feature, with a CVSS score of 7.5 and implications for CI/CD infrastructure security.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-29
•7 min read
JetBrains TeamCity CVE-2026-49373: Brief Summary of Argument Injection RCE via Perforce Connection Settings
A brief summary of CVE-2026-49373, a high severity argument injection vulnerability in JetBrains TeamCity that enables remote code execution through malicious Perforce VCS root connection settings.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-29
•10 min read
Mautic CVE-2026-9558: Brief Summary of Critical SSTI to RCE in the Theme Engine
A brief summary of CVE-2026-9558, a critical (CVSS 9.9) Server-Side Template Injection vulnerability in Mautic's theme engine that allows authenticated users to achieve Remote Code Execution through unsandboxed Twig template rendering.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-28
•10 min read
Oracle Hospitality OPERA 5 CVE-2026-34311: Brief Summary of a Critical Unauthenticated Takeover Vulnerability
A brief summary of CVE-2026-34311, a CVSS 9.8 unauthenticated takeover vulnerability in Oracle Hospitality OPERA 5 Property Services affecting five supported versions across the 5.6.x release family.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-28
•10 min read
Oracle REST Data Services CVE-2026-35277: Brief Summary of a High Severity Data Access Vulnerability in the Core Component
A short review of CVE-2026-35277, a CVSS 8.1 vulnerability in Oracle REST Data Services that allows low privileged attackers to read and modify critical data across all ORDS accessible resources via HTTPS.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-28
•8 min read
Brief Summary: Kibana CVE-2026-42398 SSRF Allowlist Bypass via Webhook Connector
A short review of CVE-2026-42398, a high severity SSRF vulnerability in Kibana that allows authenticated users to bypass the operator configured connection allowlist through crafted Webhook connectors, and why it matters in the context of Kibana's recurring SSRF pattern in 2026.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-28
•10 min read
Samba CVE-2026-4408: Overview of Unauthenticated Remote Code Execution via SAMR Password Script Injection
A brief summary of CVE-2026-4408, a critical unauthenticated remote code execution vulnerability in Samba's SAMR server caused by unescaped shell meta-characters in the check password script feature. Includes patch details and affected version information.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-28
•10 min read
Brief Summary: CVE-2026-46775 Oracle REST Data Services Core Component Takeover with Scope Change (CVSS 9.9)
A short review of CVE-2026-46775, a CVSS 9.9 vulnerability in Oracle REST Data Services (ORDS) Core component that allows a low privileged attacker to achieve full takeover with scope change, potentially compromising connected Oracle Database instances and downstream services.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-28
•10 min read
Oracle E-Business Suite CVE-2026-46817: Brief Summary of a Critical Unauthenticated Payments Takeover
A brief summary of CVE-2026-46817, a CVSS 9.8 unauthenticated vulnerability in Oracle E-Business Suite's Payments File Transmission component affecting versions 12.2.3 through 12.2.15, with context on threat actor interest and the companion vulnerability CVE-2026-46818.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-28
•10 min read
Brief Summary: CVE-2026-46819 — Unauthenticated Data Access in Oracle E-Business Suite Internet Procurement Connector
A short review of CVE-2026-46819, a CVSS 9.1 unauthenticated vulnerability in Oracle E-Business Suite's Internet Procurement Connector that enables unauthorized access to and manipulation of critical procurement data over HTTP. Patch information from Oracle's inaugural monthly CSPU is included.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-28
•10 min read
Overview of CVE-2026-46820: Oracle E-Business Suite Financials Common Modules Scope Change Vulnerability
A brief summary of CVE-2026-46820, a high severity vulnerability in Oracle Financials Common Modules (CVSS 8.5) that enables low privileged attackers to access critical financial data and impact additional products through scope change, in the context of sustained threat actor targeting of the Oracle EBS platform.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-28
•10 min read
Quick Look: CVE-2026-46821 — Oracle EBS Financials Common Modules Confidentiality Breach with Scope Change
A brief summary of CVE-2026-46821, a high severity confidentiality vulnerability in Oracle E-Business Suite Financials Common Modules (versions 12.2.3 through 12.2.15) that allows low privileged attackers to access critical data across multiple EBS products. Includes patch information from Oracle's inaugural monthly CSPU release.
ZeroPath CVE Analysis

CVE Analysis
•2026-05-28
•10 min read
Brief Summary: CVE-2026-46822 Oracle iAssets Critical Takeover Vulnerability (CVSS 9.9) in E-Business Suite
A short review of CVE-2026-46822, a CVSS 9.9 vulnerability in Oracle iAssets (E-Business Suite) that allows a low privileged attacker to achieve full system takeover with scope change impacting adjacent EBS modules. Covers technical details, threat context from prior Cl0p exploitation of Oracle EBS, and mitigation guidance.
ZeroPath CVE Analysis