182 articles
CVE-2026-34621 is a prototype pollution flaw in Adobe Acrobat Reader with a CVSS 8.6 score. Active exploitation began in December 2025. Update immediately.
Microsoft found an intent redirection vulnerability in EngageLab's Android SDK affecting 50M+ app installs. Crypto wallets with 30M users were at risk.
CVE-2026-39987 in Marimo Python notebooks allows unauthenticated RCE via terminal WebSocket. Attackers weaponized it within hours. Patch to 0.23.0 now.
CVE-2026-25776 (CVSS 9.8) enables remote code execution through Movable Type's Listing Framework. Affects versions 6.0+. Patches available for MT 9, 8.8, 8.0.
CVE-2026-39888 bypasses PraisonAI's Python sandbox via exception frame traversal. Attackers chain __traceback__ attributes to reach exec(). Patch to 1.5.115.
CVE-2026-34197 exposes Apache ActiveMQ to remote code execution via the Jolokia API. Horizon3 researcher used Claude to uncover the flaw in under 10 minutes. Patch now.
CVE-2026-34040 lets attackers bypass Docker authorization plugins with a single padded HTTP request. CVSS 8.8 flaw patched in Engine 29.3.1.
Critical code injection vulnerability CVE-2025-59528 in Flowise AI agent builder scores maximum CVSS 10.0 and is under active exploitation. Over 12,000 instances are publicly accessible.
Security researcher releases working proof-of-concept for BlueHammer, an unpatched Windows Defender privilege escalation flaw enabling SYSTEM access via TOCTOU and path confusion vulnerabilities.
University of Toronto researchers demonstrate GPUBreach, a GPU rowhammer attack that bypasses IOMMU protections to achieve root access on systems with NVIDIA GPUs. Consumer GPUs remain unmitigated.
CISA adds CVE-2026-35616 to KEV catalog with April 9 deadline for federal agencies. Nearly 2,000 FortiClient EMS instances remain exposed as exploitation continues.
AI-discovered vulnerabilities bypass all security policies including 'secure' mode. Most servers won't receive fixes until 2027 without manual intervention.
CVE-2026-34838 lets authenticated attackers achieve RCE on Group-Office CRM servers via insecure deserialization. Upgrade to patched versions immediately.
CVE-2026-2699 and CVE-2026-2701 combine to let unauthenticated attackers take over ShareFile Storage Zone Controllers. Patches available since March 10.
CVE-2026-20093 and CVE-2026-20160 let unauthenticated attackers take full control of Cisco UCS servers and licensing infrastructure. No workarounds exist.
CVE-2026-35616 lets attackers bypass API authentication in FortiClient EMS 7.4.5-7.4.6 for unauthenticated RCE. Exploitation began March 31. Emergency hotfixes available.
CVE-2026-34938 lets attackers escape PraisonAI's three-layer Python sandbox to execute arbitrary OS commands. CVSS 10 — patch to version 1.5.90 immediately.
Microsoft Azure Kubernetes Service has a critical auth bypass (CVE-2026-33105) with a perfect CVSS 10.0 score. Unauthenticated attackers can escalate to cluster admin—patch now.
Unit 42 exposes how excessive default permissions in Google Cloud's Vertex AI let attackers weaponize AI agents to steal data from customer environments.
CVE-2026-5281 exploited in the wild targets Dawn WebGPU implementation. Google rushes emergency patch as Chrome zero-days accelerate in 2026.
CVE-2026-32746 (CVSS 9.8) in GNU InetUtils telnetd enables unauthenticated root RCE via buffer overflow. FreeBSD, NetBSD, Citrix NetScaler affected.
Trend Micro ZDI disclosed a CVSS 9.8 flaw enabling device takeover via animated stickers. Telegram says the vulnerability doesn't exist. No patch until July 2026.
Check Point Research disclosed a ChatGPT vulnerability that abused DNS tunneling to silently steal conversation data. OpenAI patched the flaw on February 20, 2026.
CVE-2026-21643 exploitation began March 26, six weeks after Fortinet's patch. Around 1,000 internet-exposed EMS instances remain vulnerable to unauthenticated RCE.
CVE-2026-33660 (CVSS 9.4) lets authenticated users escape n8n's AlaSQL sandbox via the Merge node. Over 615,000 public instances potentially vulnerable.
CVE-2026-3055 now actively exploited. CISA adds the CVSS 9.3 memory leak to KEV catalog, giving federal agencies until April 2 to patch SAML IdP configurations.
Critical CVSS 9.8 flaw in OpenClaw AI agent platform lets attackers replay setup codes for privilege escalation. Patch to version 2026.3.13 immediately.
CVE-2026-3098 lets subscribers read wp-config.php and any server file. Amelia Booking Pro also patched for admin password reset bug. Update these WordPress plugins now.
CISA added CVE-2025-53521 to its KEV catalog after F5 reclassified the BIG-IP APM vulnerability from DoS to remote code execution. CVSS 9.8—federal deadline is March 30.
Three vulnerabilities in LangChain and LangGraph expose filesystems, environment secrets, and conversation histories. CVE-2026-34070 enables path traversal. Patches available now.
CVE-2026-22557 lets unauthenticated attackers traverse paths and hijack UniFi Network accounts. CVSS 10.0 severity demands immediate patching to 10.1.89.
Critical CVE-2025-15517 allows attackers to bypass authentication on TP-Link Archer NX routers, upload malicious firmware, and modify configurations without credentials.
Critical deserialization flaw CVE-2026-4681 in PTC Windchill and FlexPLM threatens manufacturing sector. German federal police dispatched to warn companies of imminent exploitation.
n8n patches CVE-2026-27577, CVE-2026-27493, and two more sandbox escapes. One flaw allows unauthenticated attackers to execute commands via public form endpoints.
CVE-2026-3055 (CVSS 9.3) lets unauthenticated attackers read sensitive data from NetScaler memory. Affects appliances configured as SAML Identity Providers—patch now.
Attackers exploiting CVE-2025-32975 authentication bypass in Quest KACE to hijack admin accounts and deploy credential harvesters. Patched in May 2025—many remain exposed.
Three vulnerabilities in AVideo's CloneSite plugin chain together for unauthenticated remote code execution. CVE-2026-33478 has no patch available as attackers can extract admin credentials and inject OS commands.
CVE-2026-3888 exploits timing race between snap-confine and systemd-tmpfiles to grant root access on Ubuntu Desktop 24.04+. Qualys researchers demonstrate full privilege escalation.
Fortinet's March 2026 security advisory addresses 11 vulnerabilities including auth bypass, SQL injection, and buffer overflow flaws affecting enterprise management products.
Unrestricted file upload in Magento and Adobe Commerce REST API allows unauthenticated attackers to upload executable files. No isolated patch available for production versions.
Five vulnerabilities under active exploitation added to CISA's KEV catalog. Federal agencies must patch by April 3, 2026. Includes three Apple kernel flaws and Laravel RCE.
CVE-2026-33017 (CVSS 9.3) lets attackers execute arbitrary Python code on Langflow AI pipelines without authentication. Exploitation began before any PoC existed.
CVE-2026-21992 scores CVSS 9.8 and allows unauthenticated remote code execution on Oracle Identity Manager and Web Services Manager. Patch immediately.
CVE-2026-26144 allows attackers to silently exfiltrate sensitive data through Microsoft Copilot Agent without user interaction. Patch now or disable Copilot.
CVE-2026-3611 exposes Honeywell IQ4x building management controllers with CVSS 10 severity. Default configuration allows anyone to create admin accounts.
CISA confirms active exploitation of VMware Aria Operations CVE-2026-22719, a command injection flaw enabling unauthenticated RCE. Patch by March 24.
CISA added Microsoft SharePoint CVE-2026-20963 to the KEV catalog after confirming active exploitation. Federal agencies must patch by March 21.
LayerX researchers found that custom font rendering can hide malicious prompts from ChatGPT, Claude, Gemini, and other AI assistants while displaying them to users.