Vulnerabilities

Microsoft confirms Copilot bug bypassed DLP policies, reading confidential emails without authorization. European Parliament blocked Copilot over concerns.

CISA flags FileZen command injection flaw (CVE-2026-25108, CVSS 8.7) as actively exploited. Federal agencies must patch by March 17, 2026.

Serv-U 15.5.4 fixes four CVSS 9.1 bugs including type confusion and access control flaws. Admin access required, but file transfer platforms remain high-value targets.

CVE-2025-40540 is a critical type confusion vulnerability in SolarWinds Serv-U with CVSS 9.1. Attackers with admin access can execute arbitrary code.

CISA adds CVE-2025-49113 (CVSS 9.9) and CVE-2025-68461 to KEV catalog after attackers weaponized the deserialization flaw within 48 hours. Federal agencies must patch by March 13.

CVE-2026-26119 lets attackers escalate from standard user to domain admin via improper authentication. Microsoft rates exploitation 'more likely.'

CVE-2026-26030 in Microsoft's Semantic Kernel Python SDK enables unauthenticated RCE through InMemoryVectorStore. Upgrade to 1.39.4 immediately.

Federal agencies must patch CVE-2026-22769 by Saturday after CISA confirms Chinese hackers exploited the Dell RecoverPoint vulnerability since 2024.

CVE-2026-2329 (CVSS 9.3) enables unauthenticated RCE on Grandstream GXP1600 VoIP phones. Attackers can intercept calls, steal credentials. Patch to 1.0.7.81.

Critical CVE-2026-1490 (CVSS 9.8) in CleanTalk anti-spam plugin allows unauthenticated attackers to install malicious plugins via DNS spoofing. Update to 6.72 now.

Cisco Talos researcher uses 'good enough' emulation to fuzz Socomec DIRIS M-70 energy gateway, discovering CVE-2025-54848 through CVE-2025-55222 in Modbus protocol handling.

CISA confirms active exploitation of Chrome CVE-2026-2441, Zimbra SSRF, Windows ActiveX CVE-2008-0015, and ThreatSonar flaws. Federal agencies face March 10 deadline.

CVE-2026-2441 is a high-severity CSS use-after-free in Chrome being exploited in the wild. Update to version 145.0.7632.75 immediately.

New n8n RCE flaw bypasses December patch through type confusion. CVSS 9.4 vulnerability enables unauthenticated command execution via malicious workflows.

CVE-2026-20700 memory corruption flaw in dyld exploited against targeted individuals. Google TAG credited with discovery. Patch now for iOS, macOS, watchOS.

GreyNoise traces Ivanti EPMM exploitation to bulletproof hosting on PROSPERO network. Defenders find dormant webshells—signs of initial access broker activity.

CVE-2025-20359 and CVE-2025-20360 affect Cisco FTD, Meraki, and open-source Snort 3. No workarounds exist—patches rolling out through February.

CVE-2026-21643 allows unauthenticated attackers to chain SQL injection with command execution in FortiClient EMS. CVSS 9.8 affects version 7.4.4—upgrade to 7.4.5 immediately.

CVE-2026-1731 allows unauthenticated remote code execution on BeyondTrust Remote Support and Privileged Remote Access products. CVSS 9.9 vulnerability affects 11,000+ exposed instances.

Microsoft's February 2026 Patch Tuesday fixes 59 flaws including six actively exploited zero-days. CrowdStrike confirmed CVE-2026-21533 was used in attacks targeting US and Canada since December.

CVE-2026-22778 chains a heap leak and buffer overflow in vLLM's video processing to achieve full RCE on AI inference servers. Patch to 0.14.1 now.

CVE-2025-22225 sandbox escape now confirmed as a ransomware attack vector. Exploitation toolkit predates Broadcom's patch by a full year.

CVE-2026-24423 lets unauthenticated attackers execute OS commands on SmarterMail servers. CISA confirms active ransomware exploitation and sets a February 26 patch deadline.

CVE-2026-25049 bypasses n8n's previous sandbox fix to enable system command execution. Four additional vulnerabilities disclosed simultaneously.

Federal agencies face an aggressive Friday deadline to patch CVE-2025-40551 in SolarWinds Web Help Desk. The compressed timeline signals serious active exploitation.

CVE-2026-20111 enables stored cross-site scripting attacks against administrators of Cisco Prime Infrastructure network management systems.

Attackers exploiting CVE-2025-5947 in Service Finder Bookings plugin to hijack admin accounts through cookie manipulation. Over 6,000 sites potentially exposed.

GreyNoise reveals CISA silently updated ransomware indicators on 59 vulnerabilities without alerts. New RSS feed tool catches changes within an hour.

Four actively exploited vulnerabilities added to CISA's catalog including SolarWinds Web Help Desk deserialization flaw with CVSS 9.8. Federal agencies have until February 6 to patch.

Tenable discloses 'LookOut' vulnerabilities in Google Looker enabling remote code execution and full database theft. Self-hosted deployments at 60,000+ organizations exposed.

The OWASP Top 10 lists the most critical web application security vulnerabilities. Learn what each risk means, see real-world examples, and understand how to protect your applications.

Researchers disclose zero-click attack vector on Android where adding a user to a group can trigger malware execution through manipulated media files.

Attackers exploited a validation flaw to send spoofed cross-chain messages and unlock tokens across Ethereum, Arbitrum, and six other networks.

CVE-2025-8110 allows authenticated attackers to achieve RCE on self-hosted Git servers via path traversal. Over 700 instances already compromised.

JFrog researchers develop working remote code execution exploit for CVE-2025-62507, a stack buffer overflow in Redis discovered by Google's AI security agent.

CVE-2025-0921 enables privileged file system operations that can disrupt industrial control systems in automotive, energy, and manufacturing environments.

Cisco patches CVE-2026-20029, an XML external entity vulnerability in Identity Services Engine with proof-of-concept exploit code already publicly available.

Deserialization bugs and authentication bypasses enable unauthenticated RCE. Attackers have targeted WHD vulnerabilities before.

Two critical code injection flaws in Ivanti Endpoint Manager Mobile enable unauthenticated RCE. Federal agencies must remediate by February 1.

CVE-2025-15467 allows attackers to crash or compromise systems by sending malicious CMS messages. All AI-discovered in OpenSSL's largest coordinated security release.

JFrog discloses CVE-2026-1470 and CVE-2026-0863 in workflow automation platform. Both vulnerabilities enable authenticated remote code execution.

CVE-2026-23550 in Modular DS plugin scores CVSS 10.0. Active exploitation began January 13, with 40,000+ sites at risk.

CVE-2026-24858 allows attackers with FortiCloud accounts to log into other organizations' FortiGate devices. Patches rolling out now.

CVE-2026-23760 enables unauthenticated admin takeover in SmarterMail. Exploitation began two days after patch release.

CVE-2026-21509 bypasses OLE security protections across Office 2016-2024. CISA adds it to KEV catalog with February 16 deadline.