Happy Friday! The following are the Initial Access Intelligence team's deliverables for the past week.
Following up on last week's queries, the team shipped a weaponized exploit for CVE-2026-9082, a Drupal SQL injection that leads to information disclosure (and potentially privilege escalation or RCE). The vulnerability was added to KEV lists on May 22 after Drupal updated their advisory to note in-the-wild exploit attempts. Our Shodan query finds 29K+ Drupal instances on the public internet. Our exploit also comes with PCAPs and Snort and Suricata rules.
The team developed a chained exploit for CVE-2026-26980, a pre-authentication SQL injection in Ghost (a popular content management system) credited to Anthropic's Nicholas Carlini using Claude. Ghost's Content API is public-facing by design, and successful exploitation lands unauthenticated database reads sufficient for full Admin API takeover. The packaged exploit pairs the SQLi with CVE-2026-29053, a theme-rendering sandbox bypass, so the practical effect on a stock install is unauth RCE on the Ghost host. Our Shodan query tracks roughly 5,300 internet-exposed Ghost instances. CVE-2026-26980 was added to VulnCheck KEV on 2026-05-21 with reported exploitation tied to a ClickFix campaign documented by QiAnXin XLab that has poisoned 700+ Ghost-hosted sites, using stolen Admin API keys to inject loader JavaScript serving a fake-Cloudflare prompt that drops Windows payloads. Our exploit comes with a target Docker container, a version scanner, PCAPs, and Suricata, Snort, and YARA rules.
The team developed an exploit for CVE-2026-43500, a high-severity vulnerability in the Linux kernel that allows any logged-in, unprivileged user to gain full root (administrator) access on the system. The flaw was discovered and publicly disclosed on May 10, 2026 as one of the "Dirty Frag" vulnerabilities. It affects most current Linux distributions in their default configurations, including Debian, Ubuntu 22.04+, Fedora, the RHEL family, and openSUSE Tumbleweed — anywhere the rxrpc kernel module is shipped and auto-loadable. A public proof of concept has been available since the patch landed, but no in-the-wild exploitation has been reported yet.
The team also added coverage for CVE-2026-31816, an authentication bypass vulnerability affecting versions 3.31.4 and below of open-source low-code platform Budibase. The authentication bypass can be used to upload custom plugins to achieve arbitrary code execution on the target, which is the method leveraged by the team's exploit. A Censys search shows just over 2,100 instances of Budibase on the public internet. We have not observed any in-the-wild exploitation of this vulnerability yet, but given the easily-exploitable nature of the vulnerability, that may change. The team delivered an exploit, ASM queries, additional PCAPs, new network signatures, and a Docker target.
Finally, the team developed an exploit for CVE-2024-50339, a pre-authentication session-hijack chain in GLPI originally discovered by Guilhem Rioux of Orange Cyberdefense. GLPI is open-source IT asset and service management platform widely deployed in education, healthcare, and small-to-midsize enterprise organizations. A defender-detectable side effect of the chain is that successful exploitation leaves existing plugins on the install disabled; an operational GLPI whose plugins have suddenly flipped to disabled is a strong signal that an exploit attempt has landed. Our Shodan query returns approximately 1,500 internet-exposed GLPI instances with the login-page fingerprint at time of writing; no exploitation has been reported yet. Our exploit comes with a target Docker container, PCAPs, and Suricata, Snort, and YARA rules.