ZeroPath at Black Hat USA 2026

ZeroPath Blog & Research

Explore our team's latest research and stay up to date with ZeroPath's capabilities.
Brief Summary: CVE-2026-34275 — Oracle E-Business Suite Advanced Inbound Telephony Unauthenticated Takeover via HTTP
CVE Analysis

2026-04-21

5 min read

Brief Summary: CVE-2026-34275 — Oracle E-Business Suite Advanced Inbound Telephony Unauthenticated Takeover via HTTP

A short review of CVE-2026-34275, a CVSS 9.8 vulnerability in Oracle E-Business Suite's Advanced Inbound Telephony that allows unauthenticated attackers to fully compromise the system over HTTP.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Brief Summary: Oracle Enterprise Manager CVE-2026-34279 Critical Event Management Takeover Vulnerability
CVE Analysis

2026-04-21

6 min read

Brief Summary: Oracle Enterprise Manager CVE-2026-34279 Critical Event Management Takeover Vulnerability

A brief summary of CVE-2026-34279, a critical (CVSS 9.1) vulnerability in Oracle Enterprise Manager Base Platform's Event Management component that enables full platform takeover with scope change. Includes patch information from Oracle's April 2026 CPU.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Quick Look: CVE-2026-34286, Critical Unauthenticated Access Flaw in Oracle Identity Manager Connector
CVE Analysis

2026-04-21

6 min read

Quick Look: CVE-2026-34286, Critical Unauthenticated Access Flaw in Oracle Identity Manager Connector

A brief summary of CVE-2026-34286, a CVSS 9.1 vulnerability in Oracle Identity Manager Connector that allows unauthenticated attackers to read and modify critical identity data over HTTPS. Includes patch information from Oracle's April 2026 CPU.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Brief Summary: CVE-2026-34287 — Unauthenticated Data Access in Oracle Identity Manager Connector Core Component
CVE Analysis

2026-04-21

6 min read

Brief Summary: CVE-2026-34287 — Unauthenticated Data Access in Oracle Identity Manager Connector Core Component

A short review of CVE-2026-34287, a CVSS 9.1 vulnerability in Oracle Identity Manager Connector that allows unauthenticated attackers to read and modify critical identity data over HTTPS. Includes patch information and affected version details.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Brief Summary: Oracle HTTP Server CVE-2026-34291 Core Component Vulnerability with Scope Change
CVE Analysis

2026-04-21

6 min read

Brief Summary: Oracle HTTP Server CVE-2026-34291 Core Component Vulnerability with Scope Change

A short review of CVE-2026-34291, a high severity vulnerability in Oracle HTTP Server's Core component that allows unauthenticated attackers to compromise confidentiality and integrity with potential impact beyond the web tier. Includes patch information from Oracle's April 2026 Critical Patch Update.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Brief Summary: CVE-2026-34305 — Unauthenticated Data Exposure in Oracle WebLogic Server Web Services
CVE Analysis

2026-04-21

6 min read

Brief Summary: CVE-2026-34305 — Unauthenticated Data Exposure in Oracle WebLogic Server Web Services

A short review of CVE-2026-34305, a high severity information disclosure vulnerability in Oracle WebLogic Server's Web Services component that allows unauthenticated attackers to access critical data over HTTP. Includes patch guidance from Oracle's April 2026 Critical Patch Update.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Brief Summary: Oracle Database Server Java VM Unauthenticated Data Exposure (CVE-2026-35229)
CVE Analysis

2026-04-21

5 min read

Brief Summary: Oracle Database Server Java VM Unauthenticated Data Exposure (CVE-2026-35229)

A short review of CVE-2026-35229, a high severity vulnerability in the Oracle Database Server Java VM component that allows unauthenticated attackers to access critical data over Oracle Net without any privileges or user interaction.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Brief Summary: Dell PowerProtect Data Domain CVE-2026-26943 OS Command Injection Leading to Root Execution
CVE Analysis

2026-04-20

6 min read

Brief Summary: Dell PowerProtect Data Domain CVE-2026-26943 OS Command Injection Leading to Root Execution

A short review of CVE-2026-26943, a high severity OS command injection vulnerability in Dell PowerProtect Data Domain that allows a privileged remote attacker to execute arbitrary commands as root across multiple release trains.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Brief Summary: CVE-2026-26944 Missing Authentication in Dell PowerProtect Data Domain Enables Remote Root Command Execution
CVE Analysis

2026-04-20

7 min read

Brief Summary: CVE-2026-26944 Missing Authentication in Dell PowerProtect Data Domain Enables Remote Root Command Execution

A short review of CVE-2026-26944, a missing authentication vulnerability in Dell PowerProtect Data Domain that allows unauthenticated remote attackers to achieve root command execution with user interaction. Includes patch details and affected version ranges.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Brief Summary: Spinnaker CVE-2026-32604 Remote Code Execution via GitRepo Artifact Input Injection
CVE Analysis

2026-04-20

6 min read

Brief Summary: Spinnaker CVE-2026-32604 Remote Code Execution via GitRepo Artifact Input Injection

A short review of CVE-2026-32604, a critical remote code execution vulnerability in Spinnaker's clouddriver component caused by improper input validation in gitrepo artifact branch and path fields.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Brief Summary: Spinnaker Echo RCE via Unrestricted SpEL Evaluation (CVE-2026-32613)
CVE Analysis

2026-04-20

8 min read

Brief Summary: Spinnaker Echo RCE via Unrestricted SpEL Evaluation (CVE-2026-32613)

A short review of CVE-2026-32613, a critical remote code execution vulnerability in Spinnaker's Echo service caused by unrestricted Spring Expression Language evaluation. Includes patch details and affected version information.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Everest Forms CVE-2026-5478: Brief Summary of Unauthenticated File Read and Deletion via Path Traversal
CVE Analysis

2026-04-20

10 min read

Everest Forms CVE-2026-5478: Brief Summary of Unauthenticated File Read and Deletion via Path Traversal

A brief summary of CVE-2026-5478, a path traversal vulnerability in the Everest Forms WordPress plugin that allows unauthenticated attackers to read and delete arbitrary files. Includes patch analysis and mitigation guidance.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Brief Summary: Dell PowerProtect Data Domain CVE-2026-23778 Command Injection Enabling Root Access
CVE Analysis

2026-04-17

7 min read

Brief Summary: Dell PowerProtect Data Domain CVE-2026-23778 Command Injection Enabling Root Access

A brief summary of CVE-2026-23778, a high severity command injection vulnerability in Dell PowerProtect Data Domain OS that allows privileged remote attackers to gain root access. Includes patch information and affected version details.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Cloud Foundry UAA CVE-2026-22734: SAML 2.0 Bearer Assertion Signature Bypass Allows Token Forgery — Brief Summary and Patch Analysis
CVE Analysis

2026-04-16

8 min read

Cloud Foundry UAA CVE-2026-22734: SAML 2.0 Bearer Assertion Signature Bypass Allows Token Forgery — Brief Summary and Patch Analysis

A brief summary of CVE-2026-22734, a high severity SAML 2.0 signature bypass in Cloud Foundry UAA that allows unauthenticated attackers to forge OAuth tokens for any user. Includes patch details and affected version ranges.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

HashiCorp Vault CVE-2026-4525: Brief Summary of Token Exposure via Authorization Header Passthrough
CVE Analysis

2026-04-16

6 min read

HashiCorp Vault CVE-2026-4525: Brief Summary of Token Exposure via Authorization Header Passthrough

A brief summary of CVE-2026-4525, a header sanitization flaw in HashiCorp Vault that can forward Vault tokens to auth plugin backends when specific passthrough configurations are active. Covers technical root cause, affected versions, and remediation guidance.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Brief Summary: CVE-2026-5231 — Unauthenticated Stored XSS in WP Statistics via utm_source Parameter
CVE Analysis

2026-04-16

7 min read

Brief Summary: CVE-2026-5231 — Unauthenticated Stored XSS in WP Statistics via utm_source Parameter

A short review of CVE-2026-5231, a high severity stored cross-site scripting vulnerability in the WP Statistics WordPress plugin that allows unauthenticated attackers to inject scripts via the utm_source parameter. Includes patch details for version 14.16.5.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Brief Summary: CVE-2026-5785 Authenticated SQL Injection in ManageEngine Password Manager Pro and PAM360
CVE Analysis

2026-04-16

7 min read

Brief Summary: CVE-2026-5785 Authenticated SQL Injection in ManageEngine Password Manager Pro and PAM360

A short review of CVE-2026-5785, a high severity authenticated SQL injection in ManageEngine Password Manager Pro and PAM360 that allows privilege escalation from Password Auditor to Privileged Administrator. Includes patch details and vendor history.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

HashiCorp Vault CVE-2026-5807: Brief Summary of Unauthenticated Denial of Service Blocking Root Token and Rekey Operations
CVE Analysis

2026-04-16

8 min read

HashiCorp Vault CVE-2026-5807: Brief Summary of Unauthenticated Denial of Service Blocking Root Token and Rekey Operations

A brief summary of CVE-2026-5807, a high severity denial of service vulnerability in HashiCorp Vault that allows unauthenticated attackers to block root token generation and rekey ceremonies. Includes patch details for Vault 2.0.0 and vendor security history.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Brief Summary: CVE-2026-6270 — @fastify/middie Authentication Bypass via Child Plugin Scope Inheritance Failure
CVE Analysis

2026-04-16

7 min read

Brief Summary: CVE-2026-6270 — @fastify/middie Authentication Bypass via Child Plugin Scope Inheritance Failure

A brief summary of CVE-2026-6270, a critical authentication bypass in @fastify/middie versions 9.3.1 and earlier where middleware registered in parent scopes silently fails to propagate to child plugin routes, allowing unauthenticated access.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Brief Summary: CVE-2026-6443 — Supply Chain Backdoor in WordPress Accordion and Accordion Slider Plugin
CVE Analysis

2026-04-16

10 min read

Brief Summary: CVE-2026-6443 — Supply Chain Backdoor in WordPress Accordion and Accordion Slider Plugin

A short review of CVE-2026-6443, a CVSS 9.8 supply chain backdoor injected into the Accordion and Accordion Slider WordPress plugin after a malicious actor purchased the plugin portfolio. Includes technical details on the PHP deserialization backdoor, patch information, and remediation guidance.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization
CVE Analysis | ZeroPath Security Blog - Vulnerability Research & Exploits | Page 25 | ZeroPath