Offensive Sequence
LightNews LightNews
banner
offseq.bsky.social
Offensive Sequence
@offseq.bsky.social
24 followers 0 following 1.3K posts
OffSeq is a cutting-edge European cybersecurity company helping organizations build digital resilience through tailored, proactive security solutions. #CyberSecurity https://www.offseq.com/ https://radar.offseq.com/ https://guard.offseq.com/
Posts Replies Media Videos
Pinned
offseq.bsky.social
Offensive Sequence @offseq.bsky.social · Jan 1
Happy 2026 from OffSeq ⚡
Threat Radar moved to a larger server after strong growth (100k users, 500k events last month). Timeline posts resume shortly.

Meanwhile, meet Veil — a local-only steganography studio. Encrypt data in your browser, hide it in images. No uploads.

veil.offseq.com
Veil - client-side steganography studio
Veil is a client-side steganography studio that encrypts messages and files into images using password-based encryption.
veil.offseq.com
offseq.bsky.social
CRITICAL: CVE-2026-2577 in HKUDS nanobot WhatsApp bridge allows unauthenticated attackers to hijack sessions via port 3001. Restrict access & monitor now. No patch yet. https://radar.offseq.com/threat/cve-2026-2577-cwe-306-missing-authentication-for-c-d0d526e7 #OffSeq #Cybersecurity #Vulnerability
CVE-2026-2577: CWE-306 Missing Authentication for Critical Function in HKUDS nan
CVE-2026-2577 is a critical security vulnerability identified in the HKUDS nanobot product, specifically within its WhatsApp bridge component. The flaw arises because the WebSocket server is bound to all network interfaces (0.0.0.0) on port
radar.offseq.com
February 16, 2026 at 1:30 PM
offseq.bsky.social
EFM iptime A6004MX (fw 14.18.2) has a CRITICAL unpatched vuln: CVE-2026-2550 allows remote unauthenticated file uploads — risk of full compromise. Block access & monitor now. https://radar.offseq.com/threat/cve-2026-2550-unrestricted-upload-in-efm-iptime-a6-a8baac0d #OffSeq #SecurityAlert #Router...
CVE-2026-2550: Unrestricted Upload in EFM iptime A6004MX
The vulnerability identified as CVE-2026-2550 affects the EFM iptime A6004MX router running firmware version 14.18.2. The issue resides in the commit_vpncli_file_upload function within the /cgi/timepro.cgi endpoint, which improperly restric
radar.offseq.com
February 16, 2026 at 12:00 PM
offseq.bsky.social
CRITICAL: EFM iptime A6004MX (14.18.2) hit by CVE-2026-2550 — unrestricted remote upload flaw. Exploit is public, no vendor fix. Isolate now! https://radar.offseq.com/threat/cve-2026-2550-unrestricted-upload-in-efm-iptime-a6-a8baac0d #OffSeq #Vulnerability #RouterSecurity
CVE-2026-2550: Unrestricted Upload in EFM iptime A6004MX
A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation results in unrestricted upload. The attack may be performed from remote. The exploit
radar.offseq.com
February 16, 2026 at 10:30 AM
offseq.bsky.social
⚠️ HIGH severity: Notepad2 (v4.2.22 – 4.2.25) hit by uncontrolled search path vuln — local attackers can execute code. No patch yet. Restrict access & monitor systems. More info: https://radar.offseq.com/threat/cve-2026-2538-uncontrolled-search-path-in-flos-fre-d9540b5b #OffSeq #Vulnerability #No...
CVE-2026-2538: Uncontrolled Search Path in Flos Freeware Notepad2
CVE-2026-2538 is a vulnerability identified in Flos Freeware Notepad2 versions 4.2.22 to 4.2.25, specifically related to an uncontrolled search path issue within the Msimg32.dll library. This vulnerability arises when the application loads
radar.offseq.com
February 16, 2026 at 9:00 AM
offseq.bsky.social
Total VPN 0.5.29.0 hit by HIGH-severity unquoted search path vuln (CVE-2026-2542) on Windows. Local attackers could escalate privileges. No patch — restrict permissions & monitor systems. https://radar.offseq.com/threat/cve-2026-2542-unquoted-search-path-in-total-vpn-86fa0d9d #OffSeq #Vulnerabili...
CVE-2026-2542: Unquoted Search Path in Total VPN
CVE-2026-2542 identifies an unquoted search path vulnerability in Total VPN version 0.5.29.0 on Windows platforms, specifically involving the win-service.exe executable located in the default installation directory (C:\Program Files\Total V
radar.offseq.com
February 16, 2026 at 7:30 AM
offseq.bsky.social
ezPDF DRM Reader 2.0/3.0.0.4 (32-bit) faces a HIGH risk: uncontrolled search path (CVE-2026-2516). Exploit public, no patch available. Limit local access & monitor systems now! https://radar.offseq.com/threat/cve-2026-2516-uncontrolled-search-path-in-unidocs--c9898b25 #OffSeq #Security #PDF
CVE-2026-2516: Uncontrolled Search Path in Unidocs ezPDF DRM Reader
CVE-2026-2516 is a vulnerability identified in Unidocs ezPDF DRM Reader versions 2.0 and 3.0.0.4 running on 32-bit systems. The root cause is an uncontrolled search path issue related to the SHFOLDER.dll library, which is part of the Window
radar.offseq.com
February 16, 2026 at 6:00 AM
offseq.bsky.social
JUNG eNet SMART HOME server flaw (HIGH, 7.1 CVSS): Any user can delete others’ accounts due to missing authorization checks. Restrict /jsonrpc/management now & monitor accounts. https://radar.offseq.com/threat/cve-2026-26367-missing-authorization-in-jung-enet--173718f4 #OffSeq #SmartHome #Securit...
CVE-2026-26367: Missing Authorization in JUNG eNet SMART HOME server
The vulnerability identified as CVE-2026-26367 affects JUNG's eNet SMART HOME server versions 2.2.1 and 2.3.1. It stems from a missing authorization check in the deleteUserAccount JSON-RPC method, which is intended to allow user account del
radar.offseq.com
February 16, 2026 at 4:30 AM
offseq.bsky.social
JUNG eNet SMART HOME server (2.2.1, 2.3.1) HIGH severity flaw: low-priv users can reset admin passwords — account takeover risk! Restrict /jsonrpc/management & monitor logs. More: https://radar.offseq.com/threat/cve-2026-26368-missing-authorization-in-jung-enet--3a6df6c1 #OffSeq #Vulnerability #I...
CVE-2026-26368: Missing Authorization in JUNG eNet SMART HOME server
The vulnerability identified as CVE-2026-26368 affects the eNet SMART HOME server software developed by JUNG, specifically versions 2.2.1 and 2.3.1. The issue lies in the resetUserPassword JSON-RPC method, which lacks proper authorization c
radar.offseq.com
February 16, 2026 at 3:00 AM
offseq.bsky.social
CRITICAL: CVE-2026-1490 in CleanTalk for WordPress lets attackers install plugins via DNS spoofing if API keys are invalid. Audit keys and restrict plugin installs now. https://radar.offseq.com/threat/cve-2026-1490-cwe-350-reliance-on-reverse-dns-reso-0fc3066a #OffSeq #WordPress #Vulnerability
CVE-2026-1490: CWE-350 Reliance on Reverse DNS Resolution for a Security-Critica
The vulnerability identified as CVE-2026-1490 affects the CleanTalk Spam protection, Honeypot, Anti-Spam plugin for WordPress, a widely used security plugin designed to prevent spam and malicious activity. The root cause is a reliance on re
radar.offseq.com
February 16, 2026 at 1:30 AM
offseq.bsky.social
CRITICAL: JUNG eNet SMART HOME servers 2.2.1/2.3.1 use default creds post-deploy — remote admin access risk! Change all passwords & restrict remote access. https://radar.offseq.com/threat/cve-2026-26366-use-of-default-credentials-in-jung--23983d02 #OffSeq #IoTSecurity #SmartHome
CVE-2026-26366: Use of Default Credentials in JUNG eNet SMART HOME server
The vulnerability identified as CVE-2026-26366 affects JUNG's eNet SMART HOME server versions 2.2.1 and 2.3.1. These versions ship with default credentials (user:user and admin:admin) that remain enabled after installation and commissioning
radar.offseq.com
February 16, 2026 at 12:00 AM
offseq.bsky.social
CRITICAL: CVE-2026-26369 in JUNG eNet SMART HOME server (2.2.1/2.3.1) lets users escalate to admin via /jsonrpc/management. Restrict endpoint, monitor changes, and await patch. https://radar.offseq.com/threat/cve-2026-26369-improper-privilege-management-in-ju-f86570ed #OffSeq #IoTSecurity #CVE202...
CVE-2026-26369: Improper Privilege Management in JUNG eNet SMART HOME server
CVE-2026-26369 is a critical security vulnerability identified in the JUNG eNet SMART HOME server software versions 2.2.1 and 2.3.1. The root cause is improper privilege management due to insufficient authorization validation within the set
radar.offseq.com
February 15, 2026 at 11:30 PM
offseq.bsky.social
Open5GS SMF (2.7.0 – 2.7.6) faces MEDIUM DoS risk (CVE-2026-2517). Remote attackers can crash 5G core services. Monitor GTPv2, block malformed packets, patch when available. https://radar.offseq.com/threat/cve-2026-2517-denial-of-service-in-open5gs-08313086 #OffSeq #Open5GS #5GSafety
CVE-2026-2517: Denial of Service in Open5GS
CVE-2026-2517 is a denial of service (DoS) vulnerability identified in Open5GS, an open-source 5G core network implementation widely used for mobile network functions. The vulnerability exists in the SMF (Session Management Function) compon
radar.offseq.com
February 15, 2026 at 2:30 PM
offseq.bsky.social
Unidocs ezPDF DRM Reader (2.0 & 3.0.0.4, 32-bit) faces a HIGH-severity uncontrolled search path flaw. Exploit public, no patch. Restrict local access & monitor for malicious DLLs. https://radar.offseq.com/threat/cve-2026-2516-uncontrolled-search-path-in-unidocs--c9898b25 #OffSeq #Vulnerability #B...
CVE-2026-2516: Uncontrolled Search Path in Unidocs ezPDF DRM Reader
CVE-2026-2516 is a vulnerability identified in Unidocs ezPDF DRM Reader versions 2.0 and 3.0.0.4 running on 32-bit systems. The root cause is an uncontrolled search path issue related to the SHFOLDER.dll library, which is part of the Window
radar.offseq.com
February 15, 2026 at 1:00 PM
offseq.bsky.social
🚗 CVE-2026-2540 (HIGH): Micca KE700 car alarm flaw lets attackers replay codes & clone keys — vehicles can be unlocked or locked. No patch yet. Assess risk & monitor vendor updates. https://radar.offseq.com/threat/cve-2026-2540-cwe-288-authentication-bypass-using--06adb1fa #OffSeq #CarSecurity
CVE-2026-2540: CWE-288: Authentication Bypass Using an Alternate Path or Channel
The Micca KE700 system contains flawed resynchronization logic and is vulnerable to replay attacks. This attack requires sending two previously captured codes in a specific sequence. As a result, the system can be forced to accept previousl
radar.offseq.com
February 15, 2026 at 11:30 AM
offseq.bsky.social
MEDIUM severity: 300+ Chrome extensions with 37M+ installs are leaking/stealing user data. Audit browser add-ons, lock extension policies, and review endpoints now. 🛡️ https://radar.offseq.com/threat/over-300-malicious-chrome-extensions-caught-leakin-5e10fd10 #OffSeq #BrowserSecurity
Over 300 Malicious Chrome Extensions Caught Leaking or Stealing User Data
This threat involves over 300 malicious Google Chrome browser extensions that have collectively been downloaded more than 37 million times. These extensions have been caught leaking or outright stealing user data, including potentially sens
radar.offseq.com
February 15, 2026 at 10:00 AM
offseq.bsky.social
CVE-2026-1793: Medium-severity path traversal in Element Pack Addons for Elementor (≤8.3.17) lets contributors read sensitive files. Audit roles, monitor logs, and restrict access until patched. https://radar.offseq.com/threat/cve-2026-1793-cwe-22-improper-limitation-of-a-path-4752164f #OffSeq #W...
CVE-2026-1793: CWE-22 Improper Limitation of a Pathname to a Restricted Director
CVE-2026-1793 is a path traversal vulnerability classified under CWE-22, found in the Element Pack Addons for Elementor plugin for WordPress, specifically in the 'render_svg' function used by the SVG widget. This vulnerability arises from i
radar.offseq.com
February 15, 2026 at 8:30 AM
offseq.bsky.social
HIGH: CVE-2026-1750 in Ecwid by Lightspeed for WordPress lets low-level users escalate to admin. Update plugin when patched, restrict roles, and monitor for abuse. https://radar.offseq.com/threat/cve-2026-1750-cwe-269-improper-privilege-managemen-02c6a8ce #OffSeq #WordPress #Ecommerce
CVE-2026-1750: CWE-269 Improper Privilege Management in ecwid Ecwid by Lightspee
CVE-2026-1750 is a privilege escalation vulnerability identified in the Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress, affecting all versions up to and including 7.0.7. The root cause is a missing capability check within
radar.offseq.com
February 15, 2026 at 7:00 AM
offseq.bsky.social
CRITICAL: WordPress midi-Synth plugin (≤1.1.0) allows unauthenticated file uploads — attackers can gain RCE. Disable plugin or secure file uploads immediately! https://radar.offseq.com/threat/cve-2026-1306-cwe-434-unrestricted-upload-of-file--95798a0f #OffSeq #WordPress #Security
CVE-2026-1306: CWE-434 Unrestricted Upload of File with Dangerous Type in admink
CVE-2026-1306 is a critical security vulnerability identified in the adminkov midi-Synth plugin for WordPress, affecting all versions up to and including 1.1.0. The vulnerability arises from the plugin's 'export' AJAX action, which lacks pr
radar.offseq.com
February 15, 2026 at 5:30 AM
offseq.bsky.social
CRITICAL: CleanTalk Spam Protection plugin for WordPress allows unauthenticated plugin installs if API key is invalid (CVSS 9.8). Audit your sites & restrict plugin installs ASAP. https://radar.offseq.com/threat/cve-2026-1490-cwe-350-reliance-on-reverse-dns-reso-0fc3066a #OffSeq #WordPress #CVE20...
CVE-2026-1490: CWE-350 Reliance on Reverse DNS Resolution for a Security-Critica
The vulnerability identified as CVE-2026-1490 affects the CleanTalk Spam protection, Honeypot, Anti-Spam plugin for WordPress, a widely used security plugin designed to prevent spam and malicious activity. The root cause is a reliance on re
radar.offseq.com
February 15, 2026 at 4:00 AM
offseq.bsky.social
HIGH severity: SSRF in WordPress User Language Switch plugin lets admins access internal services. Audit your sites, restrict admin access, and monitor logs. No patch yet — act fast! https://radar.offseq.com/threat/cve-2026-0745-cwe-918-server-side-request-forgery--d2649c34 #OffSeq #WordPress #SSRF
CVE-2026-0745: CWE-918 Server-Side Request Forgery (SSRF) in webilop User Langua
CVE-2026-0745 is a Server-Side Request Forgery (SSRF) vulnerability identified in the User Language Switch plugin for WordPress, developed by webilop. The vulnerability exists in all versions up to and including 1.6.10 due to insufficient v
radar.offseq.com
February 15, 2026 at 3:00 AM
offseq.bsky.social
HIGH severity SQL Injection in PhotoStack Gallery plugin for WordPress — all versions at risk. Unauthenticated attackers can steal DB data. Disable or uninstall plugin while awaiting patch. https://radar.offseq.com/threat/cve-2026-2024-cwe-89-improper-neutralization-of-sp-e9679b86 #OffSeq #WordPr...
CVE-2026-2024: CWE-89 Improper Neutralization of Special Elements used in an SQL
CVE-2026-2024 identifies a critical SQL Injection vulnerability in the PhotoStack Gallery plugin for WordPress, maintained by savitasoni. The vulnerability exists in all versions up to and including 0.4.1 due to insufficient escaping and la
radar.offseq.com
February 15, 2026 at 1:30 AM
offseq.bsky.social
HIGH severity XSS in Super Simple Contact Form (WordPress, ≤1.6.2). Unauthenticated attackers can inject scripts. Disable or remove plugin ASAP until patched. https://radar.offseq.com/threat/cve-2026-0753-cwe-79-improper-neutralization-of-in-6158470c #OffSeq #WordPress #XSS
CVE-2026-0753: CWE-79 Improper Neutralization of Input During Web Page Generatio
CVE-2026-0753 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Super Simple Contact Form plugin for WordPress, developed by bitacre. The vulnerability exists in all versions up to and including 1.6.2 due to insuffic
radar.offseq.com
February 15, 2026 at 12:00 AM
offseq.bsky.social
HIGH: LFI in wpdecent Flexi Product Slider & Grid for WooCommerce — Contributor users can achieve RCE via insecure 'theme' param. Mitigate: restrict roles, disable plugin, monitor for abuse. Patch when out. https://radar.offseq.com/threat/cve-2026-1988-cwe-98-improper-control-of-filename--9af2696...
CVE-2026-1988: CWE-98 Improper Control of Filename for Include/Require Statement
CVE-2026-1988 is a Local File Inclusion vulnerability categorized under CWE-98 affecting the Flexi Product Slider and Grid for WooCommerce plugin for WordPress. The flaw resides in the handling of the 'theme' parameter within the flexipsg_c
radar.offseq.com
February 14, 2026 at 10:30 AM
offseq.bsky.social
HIGH-severity XSS in optimole Super Page Cache plugin affects all WordPress versions — unauthenticated attackers can inject scripts. Update ASAP, use WAF, and audit Activity Log. https://radar.offseq.com/threat/cve-2026-1843-cwe-79-improper-neutralization-of-in-da8cc8a7 #OffSeq #WordPress #XSS
CVE-2026-1843: CWE-79 Improper Neutralization of Input During Web Page Generatio
CVE-2026-1843 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Super Page Cache plugin for WordPress, developed by optimole. This vulnerability exists in all versions up to and including 5.2.2 and is due to improper neutr
radar.offseq.com
February 14, 2026 at 9:00 AM
offseq.bsky.social
⚠️ CVE-2026-1306: adminkov midi-Synth on WordPress lets attackers upload files & run code. All versions at risk — update or disable now, monitor uploads! https://radar.offseq.com/threat/cve-2026-1306-cwe-434-unrestricted-upload-of-file--95798a0f #OffSeq #WordPress #Vulnerability
CVE-2026-1306: CWE-434 Unrestricted Upload of File with Dangerous Type in admink
CVE-2026-1306 is a critical security vulnerability identified in the adminkov midi-Synth plugin for WordPress, affecting all versions up to and including 1.1.0. The vulnerability arises from the plugin's 'export' AJAX action, which lacks pr
radar.offseq.com
February 14, 2026 at 7:30 AM