LPE

HTB Silentium: Flowise ATO + RCE → Docker Escape → PackageKit LPE (CVE-2026-41651)

Vhost fuzzing reveals a Flowise 3.0.5 staging site. CVE-2025-58434 leaks a password reset token, enabling account takeover. CVE-2025-59528 provides authenticated RCE inside a Docker container. Credential reuse from environment variables leads to SSH access, and CVE-2026-41651 (Pack2TheRoot) grants root.