← All posts
#

CVE-2026-41651

2 posts

HTB Silentium: Flowise ATO + RCE → Docker Escape → PackageKit LPE (CVE-2026-41651)
HTB · Easy

HTB Silentium: Flowise ATO + RCE → Docker Escape → PackageKit LPE (CVE-2026-41651)

Vhost fuzzing reveals a Flowise 3.0.5 staging site. CVE-2025-58434 leaks a password reset token, enabling account takeover. CVE-2025-59528 provides authenticated RCE inside a Docker container. Credential reuse from environment variables leads to SSH access, and CVE-2026-41651 (Pack2TheRoot) grants root.

09 Jun 2026 Easy
HTB Snapped (Hard): CVE-2026-27944, bcrypt, and Two Paths to Root via PackageKit and snap-confine
HTB · Hard

HTB Snapped (Hard): CVE-2026-27944, bcrypt, and Two Paths to Root via PackageKit and snap-confine

From an unauthenticated Nginx UI backup disclosure (CVE-2026-27944), a bcrypt hash is cracked to gain user access. Privilege escalation is possible via either CVE-2026-41651 (PackageKit TOCTOU) or the intended race condition in snap-confine (CVE-2026-3888).

09 Jun 2026 Hard