Threat Modeling and Security by Design

Overview CVE-2026-12191 is a high-severity insecure deserialization vulnerability in Comma AI Openpilot, an open-source autonomous driving research platform. The vulnerability exists in the modeld.py module, which uses Python’s pickle.load() and pickle.loads() to deserialize untrusted data without any validation or sanitization. A local attacker with access to the system can craft a malicious pickle payload to achieve arbitrary code execution in the context of the…

CVE-2026-54412: MQTT-C Heap-Based Out-of-Bounds Read (CVSS 8.2 HIGH) Published: June 2026 | CVSS: 8.2 HIGH | Severity: High Summary CVE-2026-54412 is a heap-based out-of-bounds (OOB) read vulnerability in MQTT-C, a lightweight C library implementing the MQTT protocol widely used in IoT and IIoT messaging. The flaw resides in the mqtt_unpack_publish_response() function in mqtt.c, where an integer underflow leads to reading beyond the bounds of…

What Is CVE-2026-54411? CVE-2026-54411 is a timing side-channel vulnerability in the pam_userdb module of Linux-PAM. The issue resides in pam_userdb.c, where the plaintext password comparison routine exhibits a measurable timing discrepancy. A local attacker can exploit this by measuring response times to systematically enumerate valid usernames from the user database backend. The vulnerability carries a CVSS score of 5.9 (Medium), reflecting the local attack…

Perl Library Security Advisory — June 2026 2 CVEs | OS Command Injection & File Overwrite | Config::IniFiles & GD Both vulnerabilities stem from unsafe use of Perl’s 2-argument open() with user-controlled filenames. Affected versions: Config::IniFiles < 3.001000 and GD < 2.86. Two widely deployed Perl libraries — Config::IniFiles and GD — have published security fixes for operating system command injection vulnerabilities. Both flaws…

CVE-2026-54410 — nanoMODBUS Off-by-One Buffer Overflow in Modbus/TCP Server CVSS 8.6 (HIGH) | CWE-193: Off-by-One Error | Affects nanoMODBUS ≤ 1.23.0 A remote unauthenticated attacker can send a crafted Modbus/TCP packet to trigger an off-by-one buffer overflow in the recv_msg_header() function, leading to memory corruption, denial of service, and potential remote code execution on industrial control systems and IIoT devices running nanoMODBUS. CVE-2026-54410 is…

Vulnerability Intelligence Report — June 15, 2026 Coverage: June 1–15, 2026 | New CISA KEV additions (period): 12 | New KEV since yesterday: 0 | KEV deadline TODAY: Oracle PeopleSoft | Ivanti Sentry deadline passed (June 14) | Overdue KEVs: 6 Previous reports: June 14, 2026 | June 13, 2026 Today — Sunday, June 15, 2026 — is the CISA KEV remediation deadline for…