Security advisory

Enterprise Security at Risk as Critical Flaw Found in OpenAI’s Codex

Codex Enabled GitHub Token Theft

File Read Vulnerability in SmartSlider Impacts 500K WordPress Sites

vulnerability in the Smart Slider 3 WordPress plugin

Critical Vulnerability CVE-2026-4681 in Windchill & FlexPLM Exposes Systems to RCE

PTC has issued an urgent advisory regarding a critical Windchill and FlexPLM vulnerability that exposes affected systems to Remote Code Execution (RCE). The flaw, identified as CVE-2026-4681, has been classified as a code injection vulnerability (CWE-94) and carries a CVSS v3.1 base score of 10.0 and CVSS v4 score of 9.3.

Vulnerability details:

The company says that it has not found any evidence that the vulnerability is being exploited against PTC customers. However, PTC published a set of specific indicators of compromise (IoCs) that include a user agent string and files.

The flaw affects a broad range of Windchill PDMLink and FlexPLM releases, specifically:

Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0
FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0

Description

The vulnerability is a Remote Code Execution (RCE) issue that may be exploited through deserialization of untrusted data
CVE-2026-4681 has been reported
- CWE – CWE-94: Improper Control of Generation of Code (‘Code Injection’) (4.19.1)
- Note that CVE.org only supports the latest CVSS scoring calculator (v4). Our Advisory also reflects the score of 10.0 based on the CVSS3.1 calculator.
  - CVSS v3.1 Base Score: 10.0 (Critical)
  - CVSS v4 Base Score: 9.3 (Critical)
At this time, there is no evidence of confirmed exploitation affecting PTC customers

Remediation: PTC is actively developing and releasing security patches for all supported Windchill versions to address the identified vulnerability

Immediate Mitigation Steps

PTC has issued specific guidance to reduce the risk until official security patches are released. These steps include:

For Apache HTTP Server

Create a new configuration file named 90-app-Windchill-Auth.conf under <APACHE_HOME>/conf/conf.d/.
Add the following directive:

<LocationMatch “^.*servlet/(WindchillGW|WindchillAuthGW)/com.ptc.wvs.server.publish.Publish(?:;[^/]*)?/.*$”>
Require all denied

Ensure this file is the last in the configuration sequence and restart the Apache server.

For Microsoft IIS

Verify the presence of the URL Rewrite module; if absent, download and install from the IIS website.
Modify the web.config file to include the rewrite rule as the first tag in <system.webServer>.
Restart IIS using iisreset and confirm the rule is active in IIS Manager.

PTC advises applying the same workaround steps to File Server or Replica Server configurations and notes that older Windchill releases may require adjusted procedures.

Additional Protection Measures

For organizations unable to immediately implement mitigations, PTC recommends temporarily shutting down Windchill or FlexPLM services or disconnecting systems from the public Internet.

PTC has also committed to 24×7 customer support for all users affected by this critical vulnerability. For PTC cloud-hosted customer.

Indicators of Compromise

Advisory for security Teams to monitor for specific signs that may indicate exploitation of the Windchill vulnerability or FlexPLM vulnerability:

Network and User-Agent Patterns

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
Suspicious HTTP requests: run?p= .jsp?p=, run?c= .jsp?c=

File System Indicators

GW.class or payload.bin (SHA256: C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1)
Any dpr_<8-hex-digits>.jsp file
Other class files, including Gen.class, HTTPRequest.class, HTTPResponse.class, IXBCommonStreamer.class, IXBStreamer.class, MethodFeedback.class, MethodResult.class, WTContextUpdate.class, and their Java equivalents

The presence of these files indicates that a potential attacker may have prepared the system for Remote Code Execution.

Log and Error Patterns

Messages referencing GW_READY_OK, ClassNotFoundException for GW Windchill, or HTTP Gateway Exception

PTC strongly urges customers to report any identified

Log and Error Patterns

Messages referencing GW_READY_OK, ClassNotFoundException for GW Windchill, or HTTP Gateway Exception

PTC strongly urges customers to report any new identified IOCs immediately and initiate security response plans.

This particular vulnerability highlights the importance of proactive security monitoring and rapid mitigation in enterprise software environments.

By following the recommended steps, organizations can reduce the risk of Remote Code Execution and protect their data

Source: https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability?srsltid=AfmBOooLDdBNS2lOeRasqrbyOfjfVKyhJH6Z_wfzqO93k3cqVQcSueEv

CVE-2026-33409-Parse Server Authentication Bypass via partial authData; Successful exploitation Lead to Creating Valid User Session

Parse Server Authentication Bypass via partial authData; Successful exploitation Lead to Creating Valid User Session

Vulnerabilities in IP-KVMs from 4 Vendors; Risk for Unauthenticated Root Access

Severe vulnerabilities found in IP KVM may allow unauthenticated hackers to gain root access or run malicious code on them. These vulnerabilities have CVSS scores ranging from 3.1 to 9.8.

There are great risks associated as a low-cost device have the ability to provide insiders and hackers unusually broad powers in networks that are often not so secured or vulnerable. Recently researchers from security firm Eclypsium disclosed a total of nine vulnerabilities in IP KVMs from four manufacturers.

IP-KVMs

When a device sell for $30 to $100, are known as IP KVMs. Administrators often use them to remotely access machines on networks. The devices, not much bigger than a deck of cards, allow the machines to be accessed at the BIOS/UEFI level, the firmware that runs before the loading of the operating system.

Risk Associated with IP KVM

If hackers get hands of they might misuse capabilities even in a secured network. Risks are posed when the devices are exposed to the web or internet—are deployed with weak security configurations or surreptitiously connected to by insiders. Firmware vulnerabilities also leave them open to remote takeover.

Its easy for attackers to manipulate device behavior by overwriting configuration files or system binaries, by an attacker can manipulate the device’s behavior. subsequently gain unauthorized access and use the KVM as a pivot point to compromise any target machine connected to it.

“These are not exotic zero-days requiring months of reverse engineering,” Eclypsium researchers Paul Asadoorian and Reynaldo Vasquez Garcia wrote. “These are fundamental security controls that any networked device should implement. Input validation. Authentication. Cryptographic verification. Rate limiting. We are looking at the same class of failures that plagued early IoT devices a decade ago, but now on a device class that provides the equivalent of physical access to everything it connects to.”

Analysis:

The vulnerabilities are catalogued as CVE-2026-32290, CVE-2026-32291, CVE-2026-32292, CVE-2026-32293, CVE-2026-32294, CVE-2026-32295, CVE-2026-32296, CVE-2026-32297 and CVE-2026-32298, with CVSS scores ranging from 3.1 to 9.8 and some fixes already in place (for example, JetKVM updates and NanoKVM versions) while others remain unpatched.

The analysis notes that an attacker could inject keystrokes, boot from removable media to bypass protections, circumvent lock screens, or remain undetected by OS-level security software, given the devices’ remote BIOS/UEFI access.

Threat Mitigation

Mitigations include enforcing MFA where supported, isolating KVM devices on a dedicated management VLAN, restricting internet access, monitoring traffic, and keeping firmware up-to-date, according to Eclypsium.

This vulnerability alone dictates the term immediate network isolation of any deployed Angeet ES3 device.

Requirement of Robust firmware validation and strong access controls

For robust Firmware validation, testing is must but here testing do not imply checking if the coding is working or not. Instead it is a systematic process of assessing whether firmware meets the defined specifications and quality standards.

We have BI and Data Analytics to redefined outcomes of testing and are measured, with key performance indicators (KPIs) drawn from vast amounts of operation data stored in testing logs and real-time deployment environments.

(Sources: Your KVM is the Weak Link: How $30 Devices Can Own Your Entire Network – Eclypsium | Supply Chain Security for the Modern Enterprise)

ISAC’s Joint Advisory as Cyber & Physical Risks Increase in MiddleEast Conflict; Major Hacking Groups are Threat to Critical Infrastructure

ISAC’s Joint Advisory

Critical YARA Vulnerability Exposes Linux Systems – Patch Now

Summary : YARA is an open-source pattern matching engine widely used by malware researchers, SOC teams, and threat intelligence platforms to identify and classify malware using detection rules. It plays a critical role in malware analysis pipelines, endpoint detection systems, and threat hunting operations.

Kamil Frankowicz discovered that a number of YARA’s functions generated memory exceptions when processing specially crafted rules or files. A remote attacker could possibly use these issues to cause YARA to crash, resulting in a denial of service.

OEM	Virus Total / YARA Project (Tool)
Severity	Critical
CVSS Score	9.1
CVEs	CVE-2021-3402, CVE-2021-45429, CVE-2019-19648, CVE-2018-19974, 2018-19975, 2018-19976
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

Ubuntu has released a security advisory addressing multiple vulnerabilities in YARA that could allow attackers to cause denial-of-service conditions, disclose sensitive information, or potentially execute arbitrary code when processing specially crafted files or rules.

These vulnerabilities affect Ubuntu 16.04 LTS, 18.04 LTS, and 20.04 LTS depending on the specific issue. Organizations using YARA in security monitoring systems, malware sandboxes, or automated threat detection workflows should apply the security updates immediately.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score	Fixed Version
Mach-O Parser Overflow Read Vulnerability	CVE-2021-3402	YARA	Critical	9.1	Updated Ubuntu packages
Mach-O File Parsing Out-of-Bounds Access	CVE-2019-19648	YARA	High	7.8	Updated Ubuntu packages

Technical Summary

The most critical vulnerability CVE-2021-3402 exists in the macho.c implementation used by YARA to parse Mach-O files.

The flaw allows specially crafted Mach-O files to trigger overflow reads, which could result in denial of service or potential information disclosure. Given its high CVSS score, this issue represents the most severe risk addressed in this advisory.

Another high-severity vulnerability CVE-2019-19648 affects the macho_parse_file() function. When parsing specially crafted Mach-O files, the function may trigger out-of-bounds memory access, potentially leading to application crashes or execution of malicious code in certain scenarios.

Because YARA is frequently integrated into malware analysis platforms and automated threat detection pipelines, successful exploitation could disrupt security monitoring operations or compromise malware analysis environments.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2021-3402	YARA (Ubuntu 20.04)	Overflow read vulnerability in Mach-O parsing implementation	DoS, potential information disclosure
CVE-2019-19648	YARA (Ubuntu 20.04)	Out-of-bound memory access during Mach-O file parsing	DoS or possible code execution

Additional Vulnerabilities

The advisory also includes several medium-severity vulnerabilities affecting YARA components.

CVE ID	Vulnerability Details	Impact
CVE-2021-45429	Buffer overflow in yr_set_configuration() when parsing crafted rules	Denial of Service
CVE-2018-19976	YARA virtual machine sandbox escape	Possible code execution
CVE-2018-19975	VM sandbox escape vulnerability	Possible code execution
CVE-2018-19974	Virtual machine security bypass	Possible code execution

Potential Consequences

Disruption of malware detection pipelines

Denial of service in security analysis environments

Information disclosure through crafted files

Potential arbitrary code execution in analysis systems

Reduced visibility in SOC threat detection workflows

Remediation

Upgrade affected packages immediately to the patched versions provided by Ubuntu are mentioning below-

Released patches

Ubuntu Release	Package	Fixed Version
Ubuntu 20.04 LTS	libyara3	3.9.0-1ubuntu0.1 esm1
Ubuntu 20.04 LTS	yara	3.9.0-1ubuntu0.1 esm1
Ubuntu 18.04 LTS	libyara3	3.7.1-1ubuntu2+esm1
Ubuntu 18.04 LTS	yara	3.7.1-1ubuntu2+esm1
Ubuntu 16.04 LTS	libyara3	3.4.0+dfsg-2ubuntu0.1 esm1
	python-yara	3.4.0+dfsg-2ubuntu0.1 esm1
	python3-yara	3.4.0+dfsg-2ubuntu0.1 esm1
	yara	3.4.0+dfsg-2ubuntu0.1 esm1

If immediate patching is not possible, apply the following temporary mitigations –

Restrict scanning of untrusted files in automated YARA pipelines.

Limit rule ingestion from untrusted sources.

Monitor malware analysis systems for abnormal crashes.

Limit exposure of YARA-based detection pipelines to untrusted Mach-O or .NET file inputs.

You can follow the recommendations below as the best practice.

Regularly update malware detection tools.

Validate YARA rules before deployment.

Validate and sandbox file inputs before passing them to YARA for analysis.

Implement least-privilege execution environments for YARA scanning processes.

Monitor logs for abnormal process crashes or memory-related errors in YARA.

Conclusion:
Multiple vulnerabilities in YARA could allow attackers to disrupt malware detection processes or compromise analysis environments. The critical vulnerability CVE-2021-3402 and high-severity vulnerability CVE-2019-19648 pose the greatest risk and should be prioritized for remediation.

Organizations using YARA in SOC operations, malware analysis pipelines, or threat intelligence systems should apply the latest Ubuntu security updates immediately to maintain reliable threat detection capabilities.

References:

USN-8080-1: YARA vulnerabilities | Ubuntu security notices | Ubuntu

GitHub – VirusTotal/yara: The pattern matching swiss knife · GitHub

Python Regression & Email Header- Ubuntu Security Updates Patch Now

Summary: USN-8018-1 fixed vulnerabilities in python3. That update introduced regressions. The patches for CVE-2025-15366 and CVE-2025-15367 caused behavior regressions in IMAP and POP3 handling, which upstream chose to avoid by not backporting them.

OEM	Python
Severity	Medium
CVSS Score	6.5
CVEs	CVE-2026-0865, CVE-2025-15366, CVE-2025-15367
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

Python is a widely used high-level programming language that powers many enterprise applications, automation frameworks, DevOps pipelines, web platforms and email-processing services. Many Linux distributions – Ubuntu provide Python runtime packages as core system components.

Ubuntu released USN-8018-2 to address regressions introduced in the previous security update USN-8018-1. The earlier update attempted to fix vulnerabilities related to email header parsing and input validation but unintentionally introduced compatibility issues affecting IMAP, POP3, and WSGI header processing.

The new advisory prioritizes the fix for CVE-2026-0865, while also addressing issues related to CVE-2025-15366 and CVE-2025-15367.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score	Fixed Version
WSGI Header Parsing Regression Vulnerability	CVE-2026-0865	Python	Medium	6.5	Updated Python packages
Email Header Injection Vulnerability	CVE-2025-15366	Python	Medium	5.9	Updated Python packages
Improper Email Header Parsing Vulnerability	CVE-2025-15367	Python	Medium	5.9	Updated Python packages

Technical Summary

These vulnerabilities affect multiple Python versions distributed within Ubuntu systems.

The original security update introduced patches intended to address email header parsing vulnerabilities. However, those fixes resulted in unintended behavioural regressions.

The CVE-2026-0865 patch incorrectly rejected horizontal tab characters in WSGI headers, potentially causing web applications relying on Python frameworks to malfunction.

Additionally, patches for CVE-2025-15366 and CVE-2025-15367 affected IMAP and POP3 email processing behavior, which allow upstream developers to avoid backporting those changes due to compatibility concerns.

Ubuntu released updated packages to resolve these regressions while maintaining protection against the underlying vulnerabilities.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2026-0865	Python (multiple Ubuntu packages)	Incorrect rejection of horizontal tabs in WSGI headers after patch	Web application compatibility issues
CVE-2025-15366	Python email parsing library	Improper parsing allowing email header injection	Email spoofing or message manipulation
CVE-2025-15367	Python email processing modules	Improper validation of message headers	Header manipulation in email processing

Affected Packages

The following Python packages are affected –

python3.4 python3.5 python3.6 python3.7 python3.8

python3.10 python3.12 python3.13 python3.14

Remediation:

Apply the latest Ubuntu security updates immediately-

Fixed Package Versions

Ubuntu Release	Fixed Package Version
Ubuntu 25.10	python3.13 – 3.13.7-1ubuntu0.4 / python3.14 – 3.14.0-1ubuntu0.3
Ubuntu 24.04 LTS	python3.12 – 3.12.3-1ubuntu0.12
Ubuntu 22.04 LTS	python3.10 – 3.10.12-1 22.04.15
Ubuntu 20.04 LTS	python3.8 – 3.8.10-0ubuntu1 20.04.18
Ubuntu 18.04 LTS	Updated ESM packages
Ubuntu 16.04 LTS	Updated ESM packages
Ubuntu 14.04 LTS	Updated ESM packages

If immediate patching is not possible, apply the following temporary mitigations-

Restrict access to email-processing services where Python handles inbound messages.

Validate and sanitize email headers within application logic.

Monitor logs for abnormal IMAP/POP3 parsing errors.

Test Python-based web applications to detect WSGI header parsing issues.

You can follow the recommendations below as a best practice-

Maintain regular patch management for system packages.

Monitor Python runtime libraries for security advisories.

Implement secure email validation mechanisms within applications.

Use application security testing tools to detect input-validation weaknesses.

Monitor logs for abnormal email header patterns or parsing failures.

Conclusion:
The vulnerabilities addressed in USN-8018-2 highlight the risks associated with improper email header parsing and regression issues in widely used programming libraries such as Python. The primary concern, CVE-2026-0865, affects WSGI header handling and could disrupt web applications, while CVE-2025-15366 and CVE-2025-15367 relate to email header parsing weaknesses.

Organizations using Python-based applications or email processing services should prioritize updating affected Ubuntu packages to ensure both security and application stability.

References:

USN-8018-2: Python regression | Ubuntu security notices | Ubuntu

https://www.suse.com/security/cve/CVE-2026-0865.html

2 Cyber security Vulnerabilities Affecting Hikvision & Rockwell Automation-CVSS 9.8 Flaws

CISA emphasized the urgency of addressing these vulnerabilities

ExifTool Vulnerability Capitalizes on Image’s Metadata-Exploiting macOS with Shell Commands

ExifTool that allows malicious image files to execute code on macOS systems discovered by Kaspersky’s Global Research and Analysis Team (GReAT) about the critical vulnerability.