{"uuid": "fdd15828-339e-4711-a71a-6b92792a4aaf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "title": "Seems to be exploited and confirmed by Defused", "description": "\ud83d\udea8Citrix NetScaler CVE-2026-3055 is being actively exploited in the wild \n\nAttackers send crafted SAMLRequest payloads to /saml/login omitting the AssertionConsumerServiceURL field, triggering the appliance to leak memory contents via the NSC_TASS cookie. \n\nOur honeypot data shows exploitation activity from the same payload structure as the @watchtowrcyber\n  PoC. \n\nTrack exploitation of our Citrix honeypots \ud83d\udc49 https://console.defusedcyber.com/capabilities\n\nhttps://x.com/defusedcyber/status/2038266417091326156?s=46", "description_format": "markdown", "vulnerability": "CVE-2026-3055", "creation_timestamp": "2026-03-29T17:36:26.701028+00:00", "timestamp": "2026-03-29T17:36:59.391710+00:00", "related_vulnerabilities": ["CVE-2026-3055"], "meta": [{"tags": ["vulnerability:exploitability=industrialised", "vulnerability:origin=software"]}], "author": {"login": "sync_user", "name": "sync_user", "uuid": "4f29edb9-4c4b-44ca-b041-9b050656b6ae"}}