IT Consulting, Service and Management
Our decades of implementation and integration experience allows us to deliver best-of-class IT services to our customers
Security and Endpoint Protection
Defend your networks from active adversaries, ransomware, phishing, malware, and more.
Data Continuity
Backup and recovery services are a necessity for todays modern networks. We can help to determine where and when your data needs to live to be sure it's always available
Cloud Services
With so many options and implementation scenarios available, let us help you determine how best to use new services available from the cloud.
Technology services dedicated to bridging the gap between technology and your business
Since 1996, our mission has always been to help our clients maximize productivity and efficiency by expertly maintaining existing infrastructures, as well as designing and implementing new technologies, allowing them to continue growing into the future.
- Knowledgeable and friendly staff
- Flexible consumption-based pricing models
- Online strategy and consulting services
- Decades of experience
News, updates, trends and the latest
info you need to know about IT
July 10, 2026
Overview
GNU Wget, versions 1.25.0 and earlier, contains a server-side request forgery (SSRF) vulnerability in its implementation of FTP passive mode. Because Wget does not properly validate IP addresses obtained from PASV responses, an attacker-controlled FTP endpoint can redirect the client’s connection to arbitrary IPs, potentially exposing internal network host and service responses. This vulnerability has been remediated in a recent update by GNU; see the Solutions section below for resolution guidance.
Description
GNU Wget is a widely used command-line utility for retrieving content over HTTP, HTTPS, and FTP. When operating over FTP in passive mode, Wget relies on the server’s PASV response to determine which IP address and port to use for the data connection.
CVE-2026-15146 GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget’s data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources.
This issue belongs to a known class of FTP PASV vulnerabilities such as CVE-2021-40491, which was previously remediated in GNU Inetutils.
Impact
A remote attacker controlling or influencing an FTP endpoint can induce Wget to establish connections to otherwise inaccessible internal network addresses. This may allow the attacker to retrieve service banners, access internal HTTP endpoints, or exfiltrate data from internal systems reachable by the victim host. Applications that embed Wget for automated retrieval are particularly susceptible, because the vulnerability may be triggered automatically through redirected requests and untrusted user-supplied URLs.
Solution
GNU Wget has remediated this issue in the 07/05/2026 commit 4f85853f641863d5915786a8413e1a213726a62b. Users are advised to update their version according to vendor guidance.
Acknowledgements
Thanks to Jeremy Brown for researching and reporting this vulnerability. This document was written by Molly Jaconski.
July 9, 2026
Overview
PayRange is a mobile payment app that allows users to pay for vending machines, laundromats, and other unattended machines using a smartphone with Bluetooth. Two vulnerabilities were discovered in version 7.0.7 of the PayRange app that is available in the Google Play store.
Description
A vulnerability (CVE-2026-13462) exists in the PayRange Android app that causes invalid SSL certificates to be accepted in application WebViews. A second vulnerability (CVE-2026-13461) exists that allows the injection of JavaScript, which can be used to escape the WebView sandbox and perform a number of dangerous actions on the user’s device. These vulnerabilities were discovered in version 7.0.7 of the PayRange app.
The PayRange app bypasses Android’s SSL trust chain and accepts certificates that match any of the following rules (including self-signed certificates):
Common Name ends with “payrange.com”
Common Name contains “stripe.com”
Common Name contains “fetlifestatus.com” AND any of these conditions are true:
Issuer Common Name is “R10”
Issuer Common Name is “R3”
Issuer Common Name contains “Network Solutions”
The attack vector is an on-path interception. If an attacker can direct traffic intended for a legitimate server to a device they control, they can negotiate a TLS connection with the user’s device using any trusted certificate that matches the rule set. They are then able to inject content into the WebView and harvest credentials, issue malicious requests and read data entered by the user, including exchanges with the PayRange and Stripe servers.
Impact
An attacker may be able to intercept any information they can convince the user to send through the app. If the user is a machine operator, the injected JavaScript code can also connect to PayRange hardware and issue commands with the full permissions of the operator.
Solution
Unfortunately, we were unable to reach the vendor to coordinate this vulnerability. Apply the latest software updates provided by your hardware or software vendor as they become available.
Acknowledgements
Thanks to Tahi Wilton Geary for reporting this vulnerability. This document was written by Bob Kemerer.
July 9, 2026
Overview
Two vulnerabilities have been discovered in Xerte Online Toolkits, an open-source e-learning authoring toolsuite intended for the creation of learning materials within a web browser. CVE-2026-14261 tracks the persistence of the /setup/ directory after installation, which allows an unauthenticated attacker to reconfigure the application to point to a remote database they control in order to gain administrative access. CVE-2026-12116 tracks an editable antivirus binary path that can be redirected to a PHP interpreter, causing uploaded files to be executed as PHP code and resulting in remote code execution (RCE). Version v3.15.5 or v3.14.6 of Xerte Online Toolkits fixes these vulnerabilities.
Description
Xerte Online Toolkits is a suite of a free, open-source e-learning authoring tools that allows users to make educational materials directly in-browser. The toolset is installed from multiple packages, and creates a setup folder that persists after installation.
CVE-2026-14261
A vulnerability in Xerte Online Toolkits allows for authentication bypass and remote code execution via reinstallation through the /setup/ folder, enabling attackers to reinstall the service to a remote database they control.
CVE-2026-12116
A vulnerability in Xerte Online Toolkits allows for RCE through the antivirus binary path in the tools server settings. The antivirus binary runs on all uploaded files, but the path to the binary can be modified using the configuration menu. An attacker can achieve remote code execution by redirecting the path to a PHP interpreter, causing any uploaded PHP scripts to be executed.
During installation, Xerte creates a /setup/ folder to configure database connection settings. This folder persists post-installation without access controls or automatic cleanup, and /setup/index.php does not verify whether installation has completed. An attacker can revisit /setup/ and reconfigure the application to point to a remote database, thereby gaining administrative access.
After gaining admin privileges, an attacker can abuse CVE-2026-12116 by editing the antivirus binary path to point to a PHP interpreter. This causes any new uploaded files to be passed to the PHP runtime through website_code/php/import/fileupload.php, bypassing file extension checks and resulting in remote code execution.
Impact
Successful exploitation can allow full remote code execution on the affected server. This enables attackers to establish persistent access, exfiltrate data, or launch supply chain attacks by injecting malicious content into educational materials distributed by the platform.
Solution
These issues have been addressed in two commits:
– 8fec660 removes /setup/ automatically after installation/upgrade and blocks reuse.
– 8ef2062 moves sensitive configuration files, including the antivirus binary path, to server-side locations.
Users should take the following steps immediately:
1. Manually remove the initial installation /setup/ folder from installations.
2. Upgrade to Xerte v3.15.5 or v3.14.6 and run upgrade.php, which enforces automatic /setup/ removal and includes security hardening. If removal fails, the updated code still prevents exploitation.
This blog post: https://www.xerte.org.uk/index.php/en/news/blog/80-news/364-xerte-3-14-and-3-15-important-security-update contains more information and contact data for Xerte.
Acknowledgements
Thanks to the reporter, George Filippov from the Vexel Foundation. This document was written by Christopher Cullen.
Contact us today if you'd like to know more
about how we can keep your network working at its best
VistaNet, Inc is a technology consulting and services company, helping enterprises
marry scale with agility to achieve competitive advantage.
