CVE-2026-50564 (CRITICAL): Fission <1.24.0 lets CRD users deploy privileged pods via unfiltered podSpec, leading to node escape & full compromise. Patch to v1.24.0. Restrict permissions if upgrade not possible. https://radar.offseq.com/threat/ghsa-gx55-f84r-v3r7-fission-environment-crd-podspe-d60bd0900af19d2d #OffSeq #Kubernetes #CVE202650564 #CloudSec
CVE-2026-50566 (CRITICAL): Fission <1.24.0 allows SecurityContext bypass, letting attackers with Environment CRD access create privileged pods — risking container escape & cluster takeover. Patch to 1.24.0 & tighten RBAC. https://radar.offseq.com/threat/ghsa-m63v-2g9w-2w6v-fission-environment-runtimecon-e24c700c3e6ffd6e #OffSeq #Kubernetes #InfoSec
Malicious npm package: 'ripshakti' v80.0.0 (CRITICAL) runs a preinstall script to steal AWS IAM credentials & env secrets, exfiltrating to attacker. Remove, revoke exposed creds, and monitor logs. Details: https://radar.offseq.com/threat/mal-2026-6701-malicious-code-in-ripshakti-npm-d7699e4f981c4772 #OffSeq #npm #CloudSec #SupplyChain
StoneFly Storage Concentrator (SC & SCVM) faces a CRITICAL vulnerability (CVE-2026-50110): hardcoded, encoded credentials allow potential access to databases & internal services. No patch yet — restrict config file access, increase monitoring. https://radar.offseq.com/threat/cve-2026-50110-cwe-798-use-of-hard-coded-credentia-ae0ab8c00c52fe63 #OffSeq #CVE #infosec
CISA BOD 26-04, severity CRITICAL, shifts vuln mgmt for federal orgs: no CVE, but mandates risk-based metrics, audit-ready deferral docs, & coverage of actively exploited vulns. Governance focus, not patch speed. https://radar.offseq.com/threat/how-cisa-bod-26-04-redefines-vulnerability-managem-8a7e52680e36f0bc #OffSeq #CISA #RiskManagement #Infosec
CVE-2026-8402: Eksagate SYSGUARD 6001 (2.0.2 – <6.1.16.0) has a CRITICAL SQL injection (CVSS 9.8). Unsupported by vendor — no fix expected. Isolate or replace affected systems. https://radar.offseq.com/threat/cve-2026-8402-cwe-89-improper-neutralization-of-sp-679f5e5e28b1e119 #OffSeq #CVE20268402 #SQLi #Infosec
CVE-2026-9711: CRITICAL SQL Injection in EventON (Pro) WordPress plugin ≤5.0.11. Unauthenticated attackers can exploit 'search' param if "Enable additional search queries" is enabled. Disable this feature until patched. https://radar.offseq.com/threat/cve-2026-9711-cwe-89-improper-neutralization-of-sp-94cbcb459839c3f2 #OffSeq #WordPress #Vuln
Delta DVP-12SE PLCs face a CRITICAL vulnerability (CVE-2026-12818, CVSS 9.3): unlimited resource allocation in Modbus TCP. No patch yet. Reduce exposure and monitor traffic to mitigate risk. https://radar.offseq.com/threat/cve-2026-12818-cwe-770-allocation-of-resources-wit-5f563298dd2e41a2 #OffSeq #ICS #PLC #Vuln
CVE-2026-12819 (CRITICAL, CVSS 9.3) in deltaww DVP-12SE PLC: Modbus TCP service lacks authentication, allowing unauthenticated access to critical PLC functions. Segment networks & restrict access. https://radar.offseq.com/threat/cve-2026-12819-cwe-306-missing-authentication-for--8fd3769bc2b1bbcf #OffSeq #ICS #Vulnerability #PLCsecurity
Daktronics VFC-DMP-5000, DMP-5000 & DMP-8000 controllers face HIGH severity vulnerabilities: path traversal, arbitrary file upload, default creds. Remote compromise possible if internet-exposed. Patch & change passwords ASAP. https://radar.offseq.com/threat/new-controller-flaws-expose-highway-signs-and-bill-ddf5e12e278a7db8 #OffSeq #ICS #Vuln