And the wave is not over. We are already sitting on the next one: a
fresh Joomla zero-day that allows full, unrestricted, unauthenticated
file uploads. In our proof of concept, an uploaded .php file ran with no login and no token, written to a predictable web-root path and executed as text/html. That is clean remote code execution, the most serious class of web vulnerability there is.