Tag: cvss
-
Marimo RCE Vulnerability Exploited Within 10 Hours of Public Disclosure
Tags: cve, cvss, cyber, data-breach, exploit, flaw, open-source, rce, remote-code-execution, vulnerabilityA critical remote code execution (RCE) vulnerability in the open-source Python notebook platform Marimo was actively exploited less than 10 hours after its public disclosure. The flaw, initially tracked as GHSA-2679-6mx9-h9xc and later assigned CVE-2026-39987, carries a critical CVSS score of 9.3. It allows unauthenticated attackers to gain a full interactive shell on exposed Marimo…
-
Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621
Adobe has released emergency updates to fix a critical security flaw in Acrobat Reader that has come under active exploitation in the wild.The vulnerability, assigned the CVE identifier CVE-2026-34621, carries a CVSS score of 8.6 out of 10.0. Successful exploitation of the flaw could allow an attacker to run malicious code on affected installations.It has…
-
Breaking the Patch Sound Barrier: Your Vulnerability Remediation Will Not Keep Up With AI Exploit”¦
Breaking the Patch Sound Barrier: Your Vulnerability Remediation Will Not Keep Up With AI Exploit Speed. So? Many years ago while at Gartner, I wrote a blog post where I defined the concept of the “Patch Sound Barrier.” (original via Archive if you don’t believe that I was that smart back in 2013 🙂) This was an…
-
Hackers Exploit GitHub Copilot Flaw to Exfiltrate Sensitive Data
A high-severity flaw in GitHub Copilot Chat recently allowed attackers to silently steal sensitive data like API keys and private source code. Tracked as CVE-2025-59145 with a critical CVSS score of 9.6, this vulnerability required no malicious code execution. Instead, hackers used a clever prompt injection technique known as >>CamoLeak.<< A security researcher publicly disclosed…
-
Hackers Exploit GitHub Copilot Flaw to Exfiltrate Sensitive Data
A high-severity flaw in GitHub Copilot Chat recently allowed attackers to silently steal sensitive data like API keys and private source code. Tracked as CVE-2025-59145 with a critical CVSS score of 9.6, this vulnerability required no malicious code execution. Instead, hackers used a clever prompt injection technique known as >>CamoLeak.<< A security researcher publicly disclosed…
-
Technical Details Released for Critical Cisco SSM Command Execution Vulnerability
Security researchers have published technical details regarding a highly critical vulnerability in the Cisco Smart Software Manager On-Prem (SSM On-Prem). Tracked as CVE-2026-20160, this flaw carries a near-maximum CVSS score of 9.8. It allows remote, unauthenticated attackers to execute commands as a root user. With no workarounds available, organizations must apply patches immediately to secure…
-
Attackers Exploit Flowise Injection Vulnerability as 15,000+ Instances Remain Exposed
Tags: ai, control, cve, cvss, cyber, data-breach, exploit, flaw, injection, malicious, open-source, vulnerabilityA critical security flaw in Flowise, a popular open-source AI development platform, is currently being exploited in the wild. Tracked as CVE-2025-59528, this code injection vulnerability carries a maximum CVSS score of 10.0. It allows remote attackers to execute malicious code and take complete control of affected servers. Security researchers warn that up to 15,000…
-
Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed
Tags: ai, cve, cvss, data-breach, exploit, flaw, injection, intelligence, open-source, rce, remote-code-execution, threat, vulnerabilityThreat actors are exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck.The vulnerability in question is CVE-2025-59528 (CVSS score: 10.0), a code injection vulnerability that could result in remote code execution.”The CustomMCP node allows users to input configuration settings for connecting First seen on thehackernews.com…
-
50,000 WordPress Sites Running Ninja Forms Vulnerable to Critical File Upload RCE
A severe security flaw has been discovered in the Ninja Forms File Upload plugin, a widely utilized WordPress add-on that allows website administrators to accept documents, images, and other media from their visitors. Tracked officially as CVE-2026-0740, this unauthenticated arbitrary file upload vulnerability carries a maximum critical CVSS score of 9.8. With an estimated 50,000…
-
Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed
Tags: ai, cve, cvss, data-breach, exploit, flaw, injection, intelligence, open-source, rce, remote-code-execution, threat, vulnerabilityThreat actors are exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck.The vulnerability in question is CVE-2025-59528 (CVSS score: 10.0), a code injection vulnerability that could result in remote code execution.”The CustomMCP node allows users to input configuration settings for connecting First seen on thehackernews.com…
-
Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed
Tags: ai, cve, cvss, data-breach, exploit, flaw, injection, intelligence, open-source, rce, remote-code-execution, threat, vulnerabilityThreat actors are exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck.The vulnerability in question is CVE-2025-59528 (CVSS score: 10.0), a code injection vulnerability that could result in remote code execution.”The CustomMCP node allows users to input configuration settings for connecting First seen on thehackernews.com…
-
Critical Dgraph Database Flaw Allowed Attackers to Bypass Authentication
A newly discovered critical vulnerability in the open-source Dgraph database system leaves servers exposed to complete system takeovers. Tracked as CVE-2026-34976 and carrying a maximum CVSS score of 10.0, this missing authorization flaw allows remote, unauthenticated attackers to overwrite databases, read sensitive server files, and launch Server-Side Request Forgery (SSRF) attacks. Currently, all Dgraph versions…
-
Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise
Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges.The vulnerability, tracked as CVE-2026-20093, carries a CVSS score of 9.8 out of a maximum of 10.0.”This First…
-
Cisco Smart Software Manager Flaw Allowed Arbitrary Command Execution
Cisco has released a high-priority security advisory regarding a critical vulnerability in its Smart Software Manager On-Prem (SSM On-Prem) platform. The flaw, tracked as CVE-2026-20160, carries a near-maximum CVSS severity score of 9.8 out of 10. If exploited, it enables an unauthenticated, remote attacker to execute arbitrary commands with root privileges on the underlying operating…
-
Vim and GNU Emacs: Claude Code helpfully found zero-day exploits for both
P_MLE and P_SECURE) in the tabpanel sidebar introduced in 2025, and a missing security check in the autocmd_add() function.Claude Code then helpfully tried to find ways to exploit the vulnerability, eventually suggesting a tactic that bypassed the Vim sandbox by persuading a target to open a malicious file. It had gone from prompt to proof-of-concept…
-
TrueConf Vulnerability Under Active Exploitation in Southeast Asia Government Attacks
Check Point Research has discovered a critical zero-day vulnerability in the TrueConf video conferencing client. Tracked as CVE-2026-3502 with a CVSS score of 7.8, this flaw is currently being exploited in targeted attacks against government entities in Southeast Asia. Dubbed >>Operation TrueChaos,<< the campaign uses the application's trusted update system to deliver the Havoc post-exploitation…
-
Hackers Actively Exploit Critical WebLogic RCE Vulnerabilities in Ongoing Attacks
A maximum-severity vulnerability in Oracle WebLogic Server is facing rapid exploitation in the wild. Tracked as CVE-2026-21962, this unauthenticated Remote Code Execution (RCE) flaw carries a maximum CVSS score of 10.0. According to a recent honeypot study, attackers began weaponizing the flaw on January 22, 2026, the exact day public exploit code was released on…
-
Storm Brews Over Critical, No-Click Telegram Flaw
The vulnerability, which is allegedly triggered by a corrupted sticker in the messaging app, received a 9.8 CVSS score, but Telegram denies it exists. First seen on darkreading.com Jump to article: www.darkreading.com/application-security/storm-brews-critical-no-click-telegram-flaw
-
Attackers exploit critical Langflow RCE within hours as CISA sounds alarm
Tags: access, advisory, ai, api, attack, cisa, cloud, credentials, cve, cvss, data, data-breach, detection, endpoint, exploit, flaw, framework, github, infrastructure, injection, kev, malicious, monitoring, nvd, open-source, rce, remote-code-execution, software, supply-chain, threat, update, vulnerability, windowscredentials, was weaponized within 20 hours of the open-source AI-pipeline tool disclosing it.According to a Sysdig report, crooks started hitting a fleet of honeypot nodes with vulnerable instances across multiple cloud providers and regions right after they went live. Sysdig observed four such attempts within hours of deployment, with one attacker progressing to environment variable exfiltration.”This is…
-
Attackers exploit critical Langflow RCE within hours as CISA sounds alarm
Tags: access, advisory, ai, api, attack, cisa, cloud, credentials, cve, cvss, data, data-breach, detection, endpoint, exploit, flaw, framework, github, infrastructure, injection, kev, malicious, monitoring, nvd, open-source, rce, remote-code-execution, software, supply-chain, threat, update, vulnerability, windowscredentials, was weaponized within 20 hours of the open-source AI-pipeline tool disclosing it.According to a Sysdig report, crooks started hitting a fleet of honeypot nodes with vulnerable instances across multiple cloud providers and regions right after they went live. Sysdig observed four such attempts within hours of deployment, with one attacker progressing to environment variable exfiltration.”This is…
-
Critical Citrix NetScaler Flaw Draws CitrixBleed Comparisons as Exploitation Window Narrows
A critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway is drawing urgent warnings from the security community, with experts cautioning that exploitation could be imminent and that the ghost of CitrixBleed looms large over the disclosure. Tracked as CVE-2026-3055 with a CVSS score of 9.3, the flaw is an out-of-bounds read issue affecting NetScaler…
-
Cisco Secure Firewall Vulnerability Exposes Systems to Remote Code Execution by Attackers
Cisco has released critical security updates to address a maximum-severity vulnerability affecting its Secure Firewall Management Center (FMC) Software. Tracked under the identifier CVE-2026-20131, this flaw carries a perfect CVSS base score of 10.0 and allows unauthenticated, remote attackers to execute arbitrary code. The situation is particularly urgent as the company has confirmed that threat…
-
New critical Citrix NetScaler hole of similar severity to CitrixBleed2, says expert
CSO in an email, because the hole allows an unauthenticated remote attacker to leak potentially sensitive information from the appliance’s memory.”This vulnerability is one that threat actors and researchers alike are paying attention to,” he said.The vulnerability carries similar ramifications to 2023’s CitrixBleed and 2025’s CitrixBleed2 memory leak vulnerabilities, Emmons added. Then, unauthenticated attackers with…
-
Chained vulnerabilities in Cisco Catalyst switches could induce denialservice
Vulnerable products and fixes: Cisco has addressed all four CVEs in its March 25 semiannual Cisco IOS and IOS XE Software Security Advisory. Although none of the individual CVSS scores are high (ranging from 4.8 for CVE-2026-20112 to 6.5 for CVE-2026-20110) the danger is amplified by the way the first two can be chained.Cisco’s Software…
-
German Police Rouse System Admins From Sleep Over IT Flaw
Police Fanned Out Early Sunday Brandishing an Advisory of a CVSS 10 Vulnerability. Police officers across Germany roused corporate IT administrators during the early hours of Sunday morning. Their message to bleary-eyed admins was to immediately patch a critical vulnerability in popular product lifecycle management software from U.S. vendor PTC. First seen on govinfosecurity.com Jump…
-
PTC Warns of Critical Windchill, FlexPLM Flaw Enabling Remote Code Execution
PTC has issued an urgent advisory regarding a critical Windchill and FlexPLM vulnerability that exposes affected systems to Remote Code Execution (RCE). The flaw, identified as CVE-2026-4681, has been classified as a code injection vulnerability (CWE-94) and carries a CVSS v3.1 base score of 10.0 and CVSS v4 score of 9.3. First seen on thecyberexpress.com…