Severity: Moderate CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Affected: sleapi-j < 5.1.7 Fixed in: sleapi-j 5.1.7 (commit 265118d) Advisory: GHSA-6g75-jwgj-hj8v Reporter: Daniel Miranda Barcelona (Excal1bur) Discovery date: 2026-03-26 This is the third YAMCS CVE. The first two were CVE-2026-44595 and CVE-2026-44596. What is…
Severity: MEDIUM (CVSS 4.3)Affected: yamcs-core < 5.12.7Fixed in: yamcs-core 5.12.7Advisory: GHSA-p2rj-mrmc-9w29 YAMCS has an IAM system with privilege levels. One of them is SystemPrivilege.ControlAccess supposed to gate access to user management endpoints. The IAM API has endpoints for listing users,…
Vault Exfiltrator – USB Rubber Ducky Physical Exfiltration Payload Vault Exfiltrator is a payload designed for the USB Rubber Ducky that physically extracts password manager database files from a target Windows system. Unlike remote exfiltration payloads, it copies the files…
Coordinated report submitted through a national CERT. Context This section documents a real-world case of responsible security disclosure involving a public-sector system in Spain. The finding was identified through non-intrusive analysis and reported via an official channel, following the principles…