Zimbra Patches Critical XSS That Runs Code When Opening Emails
Zimbra urges immediate patching for a stored XSS flaw in Classic Web Client that executes malicious code when users open crafted emails. Google TAG reported the vulnerability.
70 articles tagged with "Zero Day"
Zimbra urges immediate patching for a stored XSS flaw in Classic Web Client that executes malicious code when users open crafted emails. Google TAG reported the vulnerability.
Progress Software tells ShareFile customers to immediately shut down Storage Zone Controllers due to a credible security threat. The company disabled affected accounts while investigating.
CVE-2026-20182 allows unauthenticated attackers to inject rogue peers into Cisco SD-WAN fabrics. Active exploitation since May; no workaround available—patch immediately.
CVE-2026-50751 allows unauthenticated VPN access via IKEv1 certificate validation flaw. CISA gave federal agencies three days to patch after linking attacks to ransomware affiliate.
A publicly released exploit targets CVE-2026-50656 in Microsoft Defender's quarantine pipeline. Microsoft confirms the flaw but has no patch timeline yet.
CVE-2026-20262 joins CVE-2026-20245 on CISA's exploited vulnerabilities list. Attackers deploy malicious .war files via path traversal to gain root access on Catalyst SD-WAN Manager.
WatchTowr Labs published technical details and exploit code for CVE-2026-50751, the auth bypass flaw already used by Qilin ransomware. TCP 443 bypass works too.
CISA orders federal agencies to patch CVSS 10.0 Ivanti Sentry flaw within 3 days—the first application of BOD 26-04. Exploitation is automated and widespread.
Microsoft releases CVE-2026-42897 fix for Exchange Server OWA XSS vulnerability exploited since May. ESU-only updates for 2016/2019 leave many systems exposed.
CVE-2026-7473 lets attackers bypass tunnel security controls on Arista network devices. CISA added it to KEV—but Arista says patching would 'break existing configurations.'
Security researcher Nightmare Eclipse releases fourth Microsoft Defender zero-day in months, granting SYSTEM privileges on patched Windows 10 and 11 systems. Here's what defenders need to know.
Google patches CVE-2026-11645, the fifth actively exploited Chrome zero-day of 2026. The V8 out-of-bounds memory flaw enables sandbox code execution via malicious web pages.
Microsoft's record-breaking June 2026 Patch Tuesday fixes 206 vulnerabilities including CVE-2026-45657, a CVSS 9.8 wormable kernel flaw allowing remote code execution without authentication.
CVE-2026-20245 lets attackers with netadmin credentials execute arbitrary commands as root on Cisco Catalyst SD-WAN Manager. Active exploitation confirmed, no fix available yet.
Fortinet confirms large-scale attacks against Citrix NetScaler ADC and Gateway appliances via CVE-2026-3055 SAML IDP flaw. CVSS 9.8—patch immediately.
Google patches actively exploited CVE-2025-48595 affecting Android 14+ alongside 123 additional vulnerabilities. Pixel devices get immediate updates—others must wait.
Critical CVSS 9.4 vulnerability in Gogs self-hosted Git service allows authenticated users to achieve RCE via argument injection. Maintainers unresponsive since March disclosure.
Microsoft Exchange Server zero-day CVE-2026-42897 enables session hijacking via malicious emails. Active exploitation confirmed with no permanent fix available.
CVE-2026-43284 and CVE-2026-43500 chain together for deterministic root access. PoC exploit is public, patches still rolling out. Here's how to detect and mitigate.
CVE-2026-34926 lets attackers inject malicious code into Apex One servers and deploy it to all connected endpoint agents. CISA confirms active exploitation with June 4 federal deadline.
A Chromium bug reported in 2022 that turns browsers into silent botnets was accidentally exposed on Google's issue tracker. No patch exists despite 'fixed' status.
Security researchers disclose nginx-poolslip, an unpatched zero-day in NGINX 1.31.0 that defeats ASLR protection. Millions of servers at risk with no CVE or fix available yet.
DEVCORE claims Master of Pwn with $505K across three days. VMware ESXi and SharePoint exploits highlight Day 3 as Pwn2Own Berlin 2026 awards $1.29M total.
Day two of Pwn2Own Berlin 2026 yields 15 new zero-days worth $385,750. Orange Tsai chains three bugs for SYSTEM-level Exchange RCE, earning the event's largest payout.
Microsoft confirms active exploitation of CVE-2026-42897, an XSS flaw in Exchange OWA that executes JavaScript via malicious emails. No patch available yet.
Security researchers exploited Windows 11, Microsoft Edge, Red Hat Linux, and multiple AI platforms on the first day of Pwn2Own Berlin 2026, earning $523,000 for 24 unique zero-day vulnerabilities.
A disgruntled researcher released two unpatched Windows zero-days: YellowKey bypasses BitLocker encryption via USB, while GreenPlasma grants SYSTEM privileges. No patches available yet.
Google's Threat Intelligence Group identifies a criminal group using an LLM-generated exploit to bypass 2FA in a web admin tool—marking the first confirmed AI-built zero-day in active use.
A new Linux kernel flaw dubbed Dirty Frag (CVE-2026-43284) enables instant root on all major distros. No patches exist after embargo collapsed.
CVE-2026-6973 lets attackers achieve RCE on Ivanti Endpoint Manager Mobile with admin credentials. CISA added it to KEV with a two-day patch deadline for federal agencies.
Russian military hackers deployed PRISMEX steganography malware against Ukraine and NATO logistics networks, exploiting zero-days CVE-2026-21509 and CVE-2026-21513 weeks before patches.
Critical CVSS 9.8 flaw in cPanel/WHM allowed attackers to bypass authentication via CRLF injection. Exploits confirmed in the wild before emergency patches.
Huntress confirms hands-on-keyboard exploitation of all three Windows Defender zero-days. Microsoft patched BlueHammer, but RedSun and UnDefend remain unpatched as attackers chain them for SYSTEM access.
Frustrated researcher 'Chaotic Eclipse' releases RedSun, another Windows Defender privilege escalation exploit granting SYSTEM access. Microsoft has not yet patched this second zero-day.
Microsoft's April 2026 Patch Tuesday fixes 167 vulnerabilities including CVE-2026-32201, an actively exploited SharePoint zero-day. Eight critical RCE flaws patched.
CVE-2026-34621 is a prototype pollution flaw in Adobe Acrobat Reader with a CVSS 8.6 score. Active exploitation began in December 2025. Update immediately.
Microsoft links China-based Storm-1175 to high-velocity Medusa ransomware attacks exploiting zero-day vulnerabilities. Healthcare, education, and finance sectors hit across Australia, UK, and US.
Security researcher releases working proof-of-concept for BlueHammer, an unpatched Windows Defender privilege escalation flaw enabling SYSTEM access via TOCTOU and path confusion vulnerabilities.
AI-discovered vulnerabilities bypass all security policies including 'secure' mode. Most servers won't receive fixes until 2027 without manual intervention.
CVE-2026-35616 lets attackers bypass API authentication in FortiClient EMS 7.4.5-7.4.6 for unauthenticated RCE. Exploitation began March 31. Emergency hotfixes available.
CVE-2026-5281 exploited in the wild targets Dawn WebGPU implementation. Google rushes emergency patch as Chrome zero-days accelerate in 2026.
CVE-2026-33017 (CVSS 9.3) lets attackers execute arbitrary Python code on Langflow AI pipelines without authentication. Exploitation began before any PoC existed.
Interlock ransomware operators weaponized Cisco Secure Firewall Management Center CVE-2026-20131 as a zero-day since January 26, gaining root access to enterprise networks.
Google patches two actively exploited Chrome zero-days affecting Skia graphics and V8 JavaScript engine. CISA adds both to KEV catalog with March 27 deadline.
Microsoft's March 2026 Patch Tuesday addresses 83 vulnerabilities including two publicly disclosed zero-days in SQL Server and .NET. Eight flaws rated Critical.
Security researchers tie Russia's APT28 to CVE-2026-21513 exploitation using malicious LNK files. The MSHTML zero-day was weaponized weeks before Microsoft's February patch.
Google's March 2026 Android security update patches 129 vulnerabilities including CVE-2026-21385, a Qualcomm graphics flaw affecting 234 chipsets under active exploitation.
CVE-2026-20127 gives attackers full admin access to Cisco SD-WAN infrastructure. CISA emergency directive requires federal patches by Feb 27.