Offensive Sequence
LightNews LightNews
banner
offseq.bsky.social
Offensive Sequence
@offseq.bsky.social
24 followers 0 following 1.3K posts
OffSeq is a cutting-edge European cybersecurity company helping organizations build digital resilience through tailored, proactive security solutions. #CyberSecurity https://www.offseq.com/ https://radar.offseq.com/ https://guard.offseq.com/
Posts Replies Media Videos
Pinned
offseq.bsky.social
Offensive Sequence @offseq.bsky.social · Jan 1
Happy 2026 from OffSeq ⚡
Threat Radar moved to a larger server after strong growth (100k users, 500k events last month). Timeline posts resume shortly.

Meanwhile, meet Veil — a local-only steganography studio. Encrypt data in your browser, hide it in images. No uploads.

veil.offseq.com
Veil - client-side steganography studio
Veil is a client-side steganography studio that encrypts messages and files into images using password-based encryption.
veil.offseq.com
offseq.bsky.social
CRITICAL: WordPress midi-Synth plugin (≤1.1.0) allows unauthenticated file uploads — attackers can gain RCE. Disable plugin or secure file uploads immediately! https://radar.offseq.com/threat/cve-2026-1306-cwe-434-unrestricted-upload-of-file--95798a0f #OffSeq #WordPress #Security
CVE-2026-1306: CWE-434 Unrestricted Upload of File with Dangerous Type in admink
CVE-2026-1306 is a critical security vulnerability identified in the adminkov midi-Synth plugin for WordPress, affecting all versions up to and including 1.1.0. The vulnerability arises from the plugin's 'export' AJAX action, which lacks pr
radar.offseq.com
February 15, 2026 at 5:30 AM
offseq.bsky.social
CRITICAL: CleanTalk Spam Protection plugin for WordPress allows unauthenticated plugin installs if API key is invalid (CVSS 9.8). Audit your sites & restrict plugin installs ASAP. https://radar.offseq.com/threat/cve-2026-1490-cwe-350-reliance-on-reverse-dns-reso-0fc3066a #OffSeq #WordPress #CVE20...
CVE-2026-1490: CWE-350 Reliance on Reverse DNS Resolution for a Security-Critica
The vulnerability identified as CVE-2026-1490 affects the CleanTalk Spam protection, Honeypot, Anti-Spam plugin for WordPress, a widely used security plugin designed to prevent spam and malicious activity. The root cause is a reliance on re
radar.offseq.com
February 15, 2026 at 4:00 AM
offseq.bsky.social
HIGH severity: SSRF in WordPress User Language Switch plugin lets admins access internal services. Audit your sites, restrict admin access, and monitor logs. No patch yet — act fast! https://radar.offseq.com/threat/cve-2026-0745-cwe-918-server-side-request-forgery--d2649c34 #OffSeq #WordPress #SSRF
CVE-2026-0745: CWE-918 Server-Side Request Forgery (SSRF) in webilop User Langua
CVE-2026-0745 is a Server-Side Request Forgery (SSRF) vulnerability identified in the User Language Switch plugin for WordPress, developed by webilop. The vulnerability exists in all versions up to and including 1.6.10 due to insufficient v
radar.offseq.com
February 15, 2026 at 3:00 AM
offseq.bsky.social
HIGH severity SQL Injection in PhotoStack Gallery plugin for WordPress — all versions at risk. Unauthenticated attackers can steal DB data. Disable or uninstall plugin while awaiting patch. https://radar.offseq.com/threat/cve-2026-2024-cwe-89-improper-neutralization-of-sp-e9679b86 #OffSeq #WordPr...
CVE-2026-2024: CWE-89 Improper Neutralization of Special Elements used in an SQL
CVE-2026-2024 identifies a critical SQL Injection vulnerability in the PhotoStack Gallery plugin for WordPress, maintained by savitasoni. The vulnerability exists in all versions up to and including 0.4.1 due to insufficient escaping and la
radar.offseq.com
February 15, 2026 at 1:30 AM
offseq.bsky.social
HIGH severity XSS in Super Simple Contact Form (WordPress, ≤1.6.2). Unauthenticated attackers can inject scripts. Disable or remove plugin ASAP until patched. https://radar.offseq.com/threat/cve-2026-0753-cwe-79-improper-neutralization-of-in-6158470c #OffSeq #WordPress #XSS
CVE-2026-0753: CWE-79 Improper Neutralization of Input During Web Page Generatio
CVE-2026-0753 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Super Simple Contact Form plugin for WordPress, developed by bitacre. The vulnerability exists in all versions up to and including 1.6.2 due to insuffic
radar.offseq.com
February 15, 2026 at 12:00 AM
offseq.bsky.social
HIGH: LFI in wpdecent Flexi Product Slider & Grid for WooCommerce — Contributor users can achieve RCE via insecure 'theme' param. Mitigate: restrict roles, disable plugin, monitor for abuse. Patch when out. https://radar.offseq.com/threat/cve-2026-1988-cwe-98-improper-control-of-filename--9af2696...
CVE-2026-1988: CWE-98 Improper Control of Filename for Include/Require Statement
CVE-2026-1988 is a Local File Inclusion vulnerability categorized under CWE-98 affecting the Flexi Product Slider and Grid for WooCommerce plugin for WordPress. The flaw resides in the handling of the 'theme' parameter within the flexipsg_c
radar.offseq.com
February 14, 2026 at 10:30 AM
offseq.bsky.social
HIGH-severity XSS in optimole Super Page Cache plugin affects all WordPress versions — unauthenticated attackers can inject scripts. Update ASAP, use WAF, and audit Activity Log. https://radar.offseq.com/threat/cve-2026-1843-cwe-79-improper-neutralization-of-in-da8cc8a7 #OffSeq #WordPress #XSS
CVE-2026-1843: CWE-79 Improper Neutralization of Input During Web Page Generatio
CVE-2026-1843 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Super Page Cache plugin for WordPress, developed by optimole. This vulnerability exists in all versions up to and including 5.2.2 and is due to improper neutr
radar.offseq.com
February 14, 2026 at 9:00 AM
offseq.bsky.social
⚠️ CVE-2026-1306: adminkov midi-Synth on WordPress lets attackers upload files & run code. All versions at risk — update or disable now, monitor uploads! https://radar.offseq.com/threat/cve-2026-1306-cwe-434-unrestricted-upload-of-file--95798a0f #OffSeq #WordPress #Vulnerability
CVE-2026-1306: CWE-434 Unrestricted Upload of File with Dangerous Type in admink
CVE-2026-1306 is a critical security vulnerability identified in the adminkov midi-Synth plugin for WordPress, affecting all versions up to and including 1.1.0. The vulnerability arises from the plugin's 'export' AJAX action, which lacks pr
radar.offseq.com
February 14, 2026 at 7:30 AM
offseq.bsky.social
Hyland OnBase 8.0 hit by CRITICAL vuln: unauth .NET Remoting on TCP/8900 enables RCE & file writes. Restrict port, monitor, patch ASAP. 🛡️ https://radar.offseq.com/threat/cve-2026-26221-cwe-502-deserialization-of-untruste-9949df79 #OffSeq #Hyland #VulnAlert
CVE-2026-26221: CWE-502 Deserialization of Untrusted Data in Hyland OnBase Workf
CVE-2026-26221 is a critical security vulnerability affecting Hyland OnBase Workflow Timer Service version 8.0. The flaw arises from an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTServ
radar.offseq.com
February 14, 2026 at 6:00 AM
offseq.bsky.social
Milvus DB faces CRITICAL vuln (CVE-2026-26190, CVSS 9.8): unauth access on port 9091 lets attackers control data & creds. Upgrade to 2.5.27/2.6.10 ASAP! https://radar.offseq.com/threat/cve-2026-26190-cwe-306-missing-authentication-for--6b5551d3 #OffSeq #vulnerability #AIsecurity
CVE-2026-26190: CWE-306: Missing Authentication for Critical Function in milvus-
CVE-2026-26190 is a critical missing authentication vulnerability (CWE-306) affecting Milvus, an open-source vector database widely used in generative AI workloads. The vulnerability arises because Milvus versions prior to 2.5.27 and betwee
radar.offseq.com
February 14, 2026 at 4:30 AM
offseq.bsky.social
🚨 CRITICAL: Calero VeraSMART (pre-2022 R1) flaw allows unauth RCE via hard-coded crypto keys. No exploit seen yet — upgrade or fix keys ASAP. Details: https://radar.offseq.com/threat/cve-2026-26335-cwe-321-use-of-hard-coded-cryptogra-07023d75 #OffSeq #Vulnerability #Calero
CVE-2026-26335: CWE-321 Use of Hard-coded Cryptographic Key in Calero VeraSMART
CVE-2026-26335 is a vulnerability identified in Calero VeraSMART versions prior to 2022 R1, stemming from the use of hard-coded cryptographic keys in the ASP.NET machineKey configuration within the web.config file. The machineKey is critica
radar.offseq.com
February 14, 2026 at 3:00 AM
offseq.bsky.social
Calero VeraSMART pre-2022 R1 hit by CRITICAL RCE flaw: unauthenticated attackers can exploit port 8001 for full server compromise. Restrict access & upgrade now. https://radar.offseq.com/threat/cve-2026-26333-cwe-306-missing-authentication-for--bbf1e7d2 #OffSeq #CVE202626333 #CyberAlert
CVE-2026-26333: CWE-306 Missing Authentication for Critical Function in Calero V
Calero VeraSMART versions prior to 2022 R1 contain a critical vulnerability (CVE-2026-26333) due to missing authentication on a .NET Remoting HTTP service exposed on TCP port 8001. This service publishes default ObjectURIs such as EndeavorS
radar.offseq.com
February 14, 2026 at 1:30 AM
offseq.bsky.social
CRITICAL: Known <1.6.3 exposes password reset tokens — full account takeover risk. Patch to 1.6.3+ and review reset workflows to protect users. https://radar.offseq.com/threat/cve-2026-26273-cwe-200-exposure-of-sensitive-infor-d59f1dbb #OffSeq #CVE202626273 #Security
CVE-2026-26273: CWE-200: Exposure of Sensitive Information to an Unauthorized Ac
CVE-2026-26273 affects the Known social publishing platform (product: known, vendor: idno) in versions prior to 1.6.3. The vulnerability arises from the exposure of password reset tokens within a hidden HTML input field on the password rese
radar.offseq.com
February 14, 2026 at 12:00 AM
offseq.bsky.social
CRITICAL: CVE-2026-26219 in newbee-mall 1.0.0 — unsalted MD5 exposes passwords to fast brute-force if hashes leak. Upgrade to strong hashing + force password resets now! 🔒 https://radar.offseq.com/threat/cve-2026-26219-cwe-327-use-of-a-broken-or-risky-cr-46123275 #OffSeq #security #ecommerce
CVE-2026-26219: CWE-327 Use of a Broken or Risky Cryptographic Algorithm in newb
CVE-2026-26219 identifies a critical cryptographic vulnerability in newbee-ltd's e-commerce platform newbee-mall, specifically version 1.0.0. The vulnerability stems from the use of the MD5 hashing algorithm for password storage without any
radar.offseq.com
February 13, 2026 at 10:30 AM
offseq.bsky.social
CVE-2026-24044 (CRITICAL): element-hq ess-helm <25.12.1 uses insecure PRNG for Matrix server keys. Attackers can impersonate servers. Upgrade to 25.12.1+ & rotate keys now! https://radar.offseq.com/threat/cve-2026-24044-cwe-336-same-seed-in-pseudo-random--1eb14671 #OffSeq #Matrix #Helm
CVE-2026-24044: CWE-336: Same Seed in Pseudo-Random Number Generator (PRNG) in e
CVE-2026-24044 is a vulnerability classified under CWE-336 (Same Seed in PRNG) affecting the Element Server Suite Community Edition (ESS Community) Helm Chart used to deploy Matrix stacks on Kubernetes. The vulnerability arises from an inse
radar.offseq.com
February 13, 2026 at 9:00 AM
offseq.bsky.social
CRITICAL: CVE-2026-26068 in emp3r0r (<3.21.1) lets remote attackers run commands on operator hosts. Upgrade urgently and restrict access! https://radar.offseq.com/threat/cve-2026-26068-cwe-77-improper-neutralization-of-s-58777eec #OffSeq #Linux #Security
CVE-2026-26068: CWE-77: Improper Neutralization of Special Elements used in a Co
The vulnerability identified as CVE-2026-26068 affects the emp3r0r command and control (C2) framework designed for Linux environments. Emp3r0r is a stealth-focused tool used by Linux users to manage compromised hosts. Prior to version 3.21.
radar.offseq.com
February 13, 2026 at 7:30 AM
offseq.bsky.social
CRITICAL: Code injection in goauthentik authentik (CVE-2026-25227). Users with certain permissions can execute code. Upgrade to patched versions now! https://radar.offseq.com/threat/cve-2026-25227-cwe-94-improper-control-of-generati-cc39f642 #OffSeq #authentik #VulnAlert
CVE-2026-25227: CWE-94: Improper Control of Generation of Code ('Code Injection'
CVE-2026-25227 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code, or Code Injection) found in the open-source identity provider authentik. The flaw exists in the handling of delegated permissions re
radar.offseq.com
February 13, 2026 at 6:00 AM
offseq.bsky.social
CRITICAL heap out-of-bounds write in ROS 2 navigation2 (≤1.3.11) via /initialpose lets attackers crash or exploit robots. Isolate DDS domains & monitor traffic. Patch when available! https://radar.offseq.com/threat/cve-2026-26011-cwe-787-out-of-bounds-write-in-ros--a5e729c2 #OffSeq #ROS2 #vuln
CVE-2026-26011: CWE-787: Out-of-bounds Write in ros-navigation navigation2
CVE-2026-26011 is a critical vulnerability affecting the navigation2 package of the ROS 2 Navigation Framework, specifically versions 1.3.11 and earlier. The flaw exists in the Adaptive Monte Carlo Localization (AMCL) particle filter cluste
radar.offseq.com
February 13, 2026 at 4:30 AM
offseq.bsky.social
CRITICAL: AutoGPT (<0.6.48) vulnerable to authenticated RCE via disabled block bypass. Upgrade to 0.6.48+ and tighten access controls now. 🔥 https://radar.offseq.com/threat/cve-2026-26020-cwe-285-improper-authorization-in-s-31ca744c #OffSeq #AutoGPT #SecurityAlert
CVE-2026-26020: CWE-285: Improper Authorization in Significant-Gravitas AutoGPT
CVE-2026-26020 is a critical security vulnerability found in Significant-Gravitas AutoGPT, a platform designed to create and manage continuous AI agents automating complex workflows. The vulnerability exists in versions prior to 0.6.48 and
radar.offseq.com
February 13, 2026 at 3:00 AM
offseq.bsky.social
Airleader Master has a CRITICAL flaw (CVE-2026-1358): unauthenticated file uploads can lead to remote code execution. Industrial systems in Europe highly exposed. Act now — restrict uploads, monitor, and patch when possible. https://radar.offseq.com/threat/cve-2026-1358-cwe-434-in-airleader-gmbh-...
CVE-2026-1358: CWE-434 in Airleader GmbH Airleader Master
CVE-2026-1358 is a critical security vulnerability identified in Airleader GmbH's Airleader Master software versions 6.381 and earlier. The flaw is categorized under CWE-434, which pertains to unrestricted file upload vulnerabilities. Speci
radar.offseq.com
February 13, 2026 at 1:30 AM
offseq.bsky.social
Scraparr <3.0.2 CRITICAL flaw: Readarr API key can leak via /metrics if integration lacks alias. Upgrade to 3.0.2+ & restrict /metrics now! https://radar.offseq.com/threat/cve-2026-26069-cwe-200-exposure-of-sensitive-infor-4d72e5e9 #OffSeq #Vulnerability #PatchNow
CVE-2026-26069: CWE-200: Exposure of Sensitive Information to an Unauthorized Ac
CVE-2026-26069 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting Scraparr, a Prometheus exporter for the *arr suite of applications. Specifically, versions from 3.0.0-beta up
radar.offseq.com
February 13, 2026 at 12:00 AM
offseq.bsky.social
CRITICAL RCE in Crawl4AI <0.8.0: /crawl endpoint lets attackers exec Python code, risking full server compromise. Block public access, monitor logs, and upgrade to 0.8.0+. Details: https://radar.offseq.com/threat/cve-2026-26216-cwe-94-improper-control-of-generati-09f71e54 #OffSeq #CVE202626216 #s...
CVE-2026-26216: CWE-94 Improper Control of Generation of Code ('Code Injection')
CVE-2026-26216 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code, or Code Injection) affecting unclecode's Crawl4AI software versions prior to 0.8.0. The vulnerability resides in the /crawl HTTP end
radar.offseq.com
February 12, 2026 at 5:30 PM
offseq.bsky.social
Crawl4AI <0.8.0 hit by CRITICAL LFI flaw — unauthenticated attackers can read sensitive files via Docker API. Patch to 0.8.0+ now! https://radar.offseq.com/threat/cve-2026-26217-cwe-22-improper-limitation-of-a-pat-0f89b04d #OffSeq #CVE202626217 #security
CVE-2026-26217: CWE-22 Improper Limitation of a Pathname to a Restricted Directo
Crawl4AI versions prior to 0.8.0 contain a local file inclusion vulnerability in the Docker API deployment. The /execute_js, /screenshot, /pdf, and /html endpoints accept file:// URLs, allowing unauthenticated remote attackers to read arbit
radar.offseq.com
February 12, 2026 at 4:00 PM
offseq.bsky.social
HIGH risk XSS in ays-pro Secure Copy Content Protection & Content Locking plugin (all versions): Unauthenticated attackers can inject scripts via HTTP header. Review deployments & restrict input now. https://radar.offseq.com/threat/cve-2026-1320-cwe-79-improper-neutralization-of-in-70548f61 #OffS...
CVE-2026-1320: CWE-79 Improper Neutralization of Input During Web Page Generatio
The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' HTTP header in all versions up to, and including, 4.9.8 due to insufficient input sanitizatio
radar.offseq.com
February 12, 2026 at 2:30 PM
offseq.bsky.social
Dell Update Package (23.12.00 – 24.12.00) HIGH severity vuln: local users can escalate privileges due to improper permissions. Restrict access & monitor for patches. https://radar.offseq.com/threat/cve-2026-23857-cwe-280-improper-handling-of-insuff-a6a15377 #OffSeq #Dell #Security
CVE-2026-23857: CWE-280: Improper Handling of Insufficient Permissions or Privil
CVE-2026-23857 identifies a vulnerability in the Dell Update Package (DUP) Framework, specifically versions 23.12.00 through 24.12.00, where improper handling of insufficient permissions or privileges (classified under CWE-280) allows a low
radar.offseq.com
February 12, 2026 at 1:00 PM