Tag: cvss

Apache Syncope RCE Vulnerability Detailed After Public Exploit Code Release

Apr 21, 2026 1:39 PM

Tags: apache, cve, cvss, cyber, exploit, flaw, government, identity, open-source, rce, remote-code-execution, vulnerability

Security researchers have released full technical details and a working proof-of-concept (PoC) exploit for CVE-2025-57738, a high-severity remote code execution (RCE) vulnerability in Apache Syncope, a widely deployed open-source identity management platform used across enterprise and government environments. Tracked as CVE-2025-57738 with a CVSS score of 7.2 (HIGH), the flaw exists in how Apache Syncope…
SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files

Apr 20, 2026 9:39 PM

Tags: cve, cvss, exploit, injection, malicious, open-source, rce, remote-code-execution, vulnerability

A critical security vulnerability has been disclosed in SGLang that, if successfully exploited, could result in remote code execution on susceptible systems.The vulnerability, tracked as CVE-2026-5760, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of command injection leading to the execution of arbitrary code.SGLang is a high-performance,…
(g+) Cisco FMC Zero-Day Interlock: Totalverlust der Netzwerksicherheit

Apr 20, 2026 2:38 PM

Tags: cisco, cvss, firewall, zero-day

Interlock hat eine CVSS-10-Lücke in Ciscos FMC 36 Tage als Zero-Day genutzt. So wurde das Firewall-Management-Interface zum Einfallstor. First seen on golem.de Jump to article: www.golem.de/news/cisco-fmc-zero-day-interlock-totalverlust-der-netzwerksicherheit-2604-207761.html
Copilot & Agentforce offen für PromptTricks

Apr 20, 2026 12:38 PM

Tags: access, ai, bug, cvss, cyberattack, injection, least-privilege, mail, microsoft, update, vulnerability

KI-Agenten sind populär und anfällig dafür, missbraucht zu werden.KI-Agenten fürs Enterprise können bekanntlich Arbeitsabläufe optimieren. Aber auch die Datenexfiltration wie Sicherheitsforscher von Capsule Security herausgefunden haben. Sie haben sowohl in Microsoft Copilot Studio als auch Salesforce Agentforce Prompt-Injection-Schwachstellen entdeckt.Diese ermöglichen Angreifern in beiden Fällen schadhafte Befehle über scheinbar harmlose Prompts einzuschleusen mit potenziell verheerenden Folgen.…
Critical Gardyn Flaws Open Smart Garden Devices to Remote Hijacking

Apr 20, 2026 8:39 AM

Tags: advisory, cvss, cyber, cybersecurity, exploit, flaw, infrastructure, malicious, vulnerability

A recently updated advisory from the Cybersecurity and Infrastructure Security Agency (CISA) has revealed severe vulnerabilities in Gardyn Home Kit systems. These critical flaws carry a maximum CVSS score of 9.3 and could allow malicious actors to hijack smart gardening devices remotely. According to the April 2026 alert, successful exploitation enables unauthenticated attackers to completely…
Beating the Mythos clock: Using Tenable Hexa AI custom agents for automated patching

Apr 17, 2026 12:48 AM

Tags: ai, business, cvss, cyberattack, data, exploit, LLM, mitigation, network, remote-code-execution, risk, strategy, supply-chain, threat, tool, update, vulnerability, vulnerability-management

See how Tenable Hexa AI custom agents empower you to counter machine-speed threats by automating vulnerability remediation. Learn how the Model Context Protocol (MCP) automates execution of risk-driven patching workflows, shifting your strategy from reactive tracking to continuous exposure management. Key takeaways Even in previews, powerful AI models like Claude Mythos show us how quickly…
April Patch Tuesday roundup: Zero day vulnerabilities and critical bugs

Apr 17, 2026 12:48 AM

Tags: access, ai, attack, business, ciso, cloud, cve, cvss, cyber, data, exploit, firewall, flaw, identity, injection, international, ivanti, LLM, malware, microsoft, network, remote-code-execution, sap, social-engineering, software, sql, threat, tool, unauthorized, update, vulnerability, windows, zero-day

block inbound traffic on UDP ports 500 and 4500 for systems that do not use IKE;for systems that require IKE, configure firewall rules to allow inbound traffic on UDP ports 500 and 4500 only from known peer addresses.Microsoft noted that these actions reduce the attack surface, but don’t replace installing the security update.Breen said that…
April Patch Tuesday roundup: Zero day vulnerabilities and critical bugs

Apr 17, 2026 12:48 AM

Tags: access, ai, attack, business, ciso, cloud, cve, cvss, cyber, data, exploit, firewall, flaw, identity, injection, international, ivanti, LLM, malware, microsoft, network, remote-code-execution, sap, social-engineering, software, sql, threat, tool, unauthorized, update, vulnerability, windows, zero-day

block inbound traffic on UDP ports 500 and 4500 for systems that do not use IKE;for systems that require IKE, configure firewall rules to allow inbound traffic on UDP ports 500 and 4500 only from known peer addresses.Microsoft noted that these actions reduce the attack surface, but don’t replace installing the security update.Breen said that…
Claude Mythos: Prepare for your board’s cybersecurity questions about the latest AI model from Anthropic

Apr 15, 2026 12:52 AM

Tags: ai, api, application-security, attack, authentication, automation, best-practice, business, ceo, cisa, cloud, compliance, container, control, cve, cvss, cyber, cybersecurity, data, data-breach, endpoint, exploit, fedramp, finance, flaw, framework, governance, group, HIPAA, identity, injection, insurance, kev, law, linkedin, linux, LLM, macOS, network, PCI, risk, service, soc, software, strategy, technology, threat, update, vulnerability, vulnerability-management, windows, zero-day, zero-trust

With the Federal Reserve Chairman meeting with bank CEOs to discuss the security implications of Claude Mythos, you can bet that your board of directors will ask you about the impact of the AI model on your cybersecurity strategy. Here’s how to prepare. Key takeaways Anthropic announced Claude Mythos Preview, its most powerful general-purpose frontier…
Microsoft’s April 2026 Patch Tuesday Addresses 163 CVEs (CVE-2026-32201)

Apr 14, 2026 10:53 PM

Tags: advisory, api, attack, best-practice, cloud, container, cve, cvss, cyber, data, exploit, firewall, firmware, flaw, framework, github, Internet, malicious, microsoft, mitigation, office, powershell, rce, remote-code-execution, service, software, sql, startup, tool, update, vulnerability, windows, zero-day

8Critical 154Important 1Moderate 0Low Microsoft addresses 163 CVEs in the April 2026 Patch Tuesday release, including two zero-day vulnerabilities, one of which was exploited in the wild. Microsoft patched 163 CVEs in its April 2026 Patch Tuesday release, with eight rated critical, 154 rated as important and one rated as moderate. This is the second…
Critical etcd Vulnerability Allows Unauthorized Access to Sensitive Cluster APIs

Apr 14, 2026 1:51 PM

Tags: access, ai, api, authentication, cve, cvss, cyber, flaw, unauthorized, vulnerability

An autonomous AI security agent developed by Strix has discovered a critical authentication bypass vulnerability in etcd, the widely used distributed key-value store that underpins countless backend systems worldwide. Tracked as CVE-2026-33413 and assigned a CVSS score of 8.8, this flaw allows unauthenticated or under-privileged users to invoke sensitive cluster operations. Strix identified the broken…
ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers

Apr 14, 2026 8:52 AM

Tags: china, cve, cvss, exploit, flaw, rce, remote-code-execution, service, vulnerability

A critical security vulnerability impacting ShowDoc, a document management and collaboration service popular in China, has come under active exploitation in the wild.The vulnerability in question is CVE-2025-0520 (aka CNVD-2020-26585), which carries a CVSS score of 9.4 out of 10.0.It relates to a case of unrestricted file upload that stems from improper validation of First…
Critical Axios Vulnerability Enables Remote Code Execution, PoC Released

Apr 13, 2026 1:52 PM

Tags: cloud, control, cve, cvss, cyber, flaw, infrastructure, remote-code-execution, vulnerability

A critical security vulnerability has been discovered in Axios, one of the most widely used HTTP client libraries, exposing applications to Remote Code Execution (RCE) and full cloud infrastructure compromise. Tracked as CVE-2026-40175, this flaw carries a critical CVSS 3.1 score of 9.9 and allows attackers to bypass AWS IMDSv2 security controls to exfiltrate sensitive…
Marimo RCE Vulnerability Exploited Within 10 Hours of Public Disclosure

Apr 13, 2026 11:52 AM

Tags: cve, cvss, cyber, data-breach, exploit, flaw, open-source, rce, remote-code-execution, vulnerability

A critical remote code execution (RCE) vulnerability in the open-source Python notebook platform Marimo was actively exploited less than 10 hours after its public disclosure. The flaw, initially tracked as GHSA-2679-6mx9-h9xc and later assigned CVE-2026-39987, carries a critical CVSS score of 9.3. It allows unauthenticated attackers to gain a full interactive shell on exposed Marimo…
Marimo RCE Vulnerability Exploited Within 10 Hours of Public Disclosure

Apr 13, 2026 11:52 AM

Tags: cve, cvss, cyber, data-breach, exploit, flaw, open-source, rce, remote-code-execution, vulnerability

A critical remote code execution (RCE) vulnerability in the open-source Python notebook platform Marimo was actively exploited less than 10 hours after its public disclosure. The flaw, initially tracked as GHSA-2679-6mx9-h9xc and later assigned CVE-2026-39987, carries a critical CVSS score of 9.3. It allows unauthenticated attackers to gain a full interactive shell on exposed Marimo…
Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621

Apr 12, 2026 8:52 AM

Tags: adobe, cve, cvss, exploit, flaw, malicious, update, vulnerability

Adobe has released emergency updates to fix a critical security flaw in Acrobat Reader that has come under active exploitation in the wild.The vulnerability, assigned the CVE identifier CVE-2026-34621, carries a CVSS score of 8.6 out of 10.0. Successful exploitation of the flaw could allow an attacker to run malicious code on affected installations.It has…
Breaking the Patch Sound Barrier: Your Vulnerability Remediation Will Not Keep Up With AI Exploit”¦

Apr 11, 2026 1:52 AM

Tags: ai, browser, chrome, cisa, cvss, data, exploit, gartner, kev, open-source, risk, tool, update, vulnerability

Breaking the Patch Sound Barrier: Your Vulnerability Remediation Will Not Keep Up With AI Exploit Speed. So? Many years ago while at Gartner, I wrote a blog post where I defined the concept of the “Patch Sound Barrier.” (original via Archive if you don’t believe that I was that smart back in 2013 🙂) This was an…
Hackers Exploit GitHub Copilot Flaw to Exfiltrate Sensitive Data

Apr 10, 2026 3:52 PM

Tags: api, cve, cvss, cyber, data, exploit, flaw, github, hacker, injection, malicious, vulnerability

A high-severity flaw in GitHub Copilot Chat recently allowed attackers to silently steal sensitive data like API keys and private source code. Tracked as CVE-2025-59145 with a critical CVSS score of 9.6, this vulnerability required no malicious code execution. Instead, hackers used a clever prompt injection technique known as >>CamoLeak.<< A security researcher publicly disclosed…
Hackers Exploit GitHub Copilot Flaw to Exfiltrate Sensitive Data

Apr 10, 2026 3:52 PM

Tags: api, cve, cvss, cyber, data, exploit, flaw, github, hacker, injection, malicious, vulnerability

A high-severity flaw in GitHub Copilot Chat recently allowed attackers to silently steal sensitive data like API keys and private source code. Tracked as CVE-2025-59145 with a critical CVSS score of 9.6, this vulnerability required no malicious code execution. Instead, hackers used a clever prompt injection technique known as >>CamoLeak.<< A security researcher publicly disclosed…
Juniper Networks Default Credential Vulnerability Allows Unauthorized Full Access

Apr 10, 2026 9:52 AM

Tags: access, control, credentials, cve, cvss, cyber, flaw, network, unauthorized, vulnerability

Juniper Networks has issued a critical security alert regarding a severe vulnerability in its Support Insights (JSI) Virtual Lightweight Collector (vLWC). Tracked as CVE-2026-33784, this default credential flaw carries a near-maximum CVSS v3.1 severity score of 9.8. If left unresolved, the vulnerability allows remote, unauthenticated attackers to seize complete control over affected network devices. The…
Technical Details Released for Critical Cisco SSM Command Execution Vulnerability

Apr 9, 2026 1:59 PM

Tags: cisco, cve, cvss, cyber, flaw, software, vulnerability

Security researchers have published technical details regarding a highly critical vulnerability in the Cisco Smart Software Manager On-Prem (SSM On-Prem). Tracked as CVE-2026-20160, this flaw carries a near-maximum CVSS score of 9.8. It allows remote, unauthenticated attackers to execute commands as a root user. With no workarounds available, organizations must apply patches immediately to secure…
5 practical steps to strengthen attack resilience with attack surface management

Apr 7, 2026 9:54 PM

Tags: access, api, attack, authentication, automation, backup, breach, business, cloud, container, control, credentials, cvss, cyber, cybersecurity, data, data-breach, detection, dns, email, endpoint, exploit, framework, government, identity, iot, malicious, monitoring, msp, network, nist, phishing, ransomware, resilience, risk, service, social-engineering, software, threat, tool, update, vpn, vulnerability, vulnerability-management, windows

What can attackers actually reach right now? By continuously identifying and prioritizing exposure across your environment, ASM transforms raw visibility into measurable cyber resilience.Below are five practical steps security teams can take to strengthen attack resilience using attack surface management principles. Effective attack surface management starts with complete visibility. Security gaps often appear because teams…
5 practical steps to strengthen attack resilience with attack surface management

Apr 7, 2026 9:54 PM

Tags: access, api, attack, authentication, automation, backup, breach, business, cloud, container, control, credentials, cvss, cyber, cybersecurity, data, data-breach, detection, dns, email, endpoint, exploit, framework, government, identity, iot, malicious, monitoring, msp, network, nist, phishing, ransomware, resilience, risk, service, social-engineering, software, threat, tool, update, vpn, vulnerability, vulnerability-management, windows

What can attackers actually reach right now? By continuously identifying and prioritizing exposure across your environment, ASM transforms raw visibility into measurable cyber resilience.Below are five practical steps security teams can take to strengthen attack resilience using attack surface management principles. Effective attack surface management starts with complete visibility. Security gaps often appear because teams…
5 practical steps to strengthen attack resilience with attack surface management

Apr 7, 2026 9:54 PM

Tags: access, api, attack, authentication, automation, backup, breach, business, cloud, container, control, credentials, cvss, cyber, cybersecurity, data, data-breach, detection, dns, email, endpoint, exploit, framework, government, identity, iot, malicious, monitoring, msp, network, nist, phishing, ransomware, resilience, risk, service, social-engineering, software, threat, tool, update, vpn, vulnerability, vulnerability-management, windows

What can attackers actually reach right now? By continuously identifying and prioritizing exposure across your environment, ASM transforms raw visibility into measurable cyber resilience.Below are five practical steps security teams can take to strengthen attack resilience using attack surface management principles. Effective attack surface management starts with complete visibility. Security gaps often appear because teams…
Attackers Exploit Flowise Injection Vulnerability as 15,000+ Instances Remain Exposed

Apr 7, 2026 11:50 AM

Tags: ai, control, cve, cvss, cyber, data-breach, exploit, flaw, injection, malicious, open-source, vulnerability

A critical security flaw in Flowise, a popular open-source AI development platform, is currently being exploited in the wild. Tracked as CVE-2025-59528, this code injection vulnerability carries a maximum CVSS score of 10.0. It allows remote attackers to execute malicious code and take complete control of affected servers. Security researchers warn that up to 15,000…
Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed

Apr 7, 2026 8:51 AM

Tags: ai, cve, cvss, data-breach, exploit, flaw, injection, intelligence, open-source, rce, remote-code-execution, threat, vulnerability

Threat actors are exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck.The vulnerability in question is CVE-2025-59528 (CVSS score: 10.0), a code injection vulnerability that could result in remote code execution.”The CustomMCP node allows users to input configuration settings for connecting First seen on thehackernews.com…
Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed

Apr 7, 2026 8:51 AM

Tags: ai, cve, cvss, data-breach, exploit, flaw, injection, intelligence, open-source, rce, remote-code-execution, threat, vulnerability

Threat actors are exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck.The vulnerability in question is CVE-2025-59528 (CVSS score: 10.0), a code injection vulnerability that could result in remote code execution.”The CustomMCP node allows users to input configuration settings for connecting First seen on thehackernews.com…
Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed

Apr 7, 2026 8:51 AM

Tags: ai, cve, cvss, data-breach, exploit, flaw, injection, intelligence, open-source, rce, remote-code-execution, threat, vulnerability

Threat actors are exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck.The vulnerability in question is CVE-2025-59528 (CVSS score: 10.0), a code injection vulnerability that could result in remote code execution.”The CustomMCP node allows users to input configuration settings for connecting First seen on thehackernews.com…
50,000 WordPress Sites Running Ninja Forms Vulnerable to Critical File Upload RCE

Apr 7, 2026 8:51 AM

Tags: cve, cvss, cyber, flaw, rce, remote-code-execution, vulnerability, wordpress

A severe security flaw has been discovered in the Ninja Forms File Upload plugin, a widely utilized WordPress add-on that allows website administrators to accept documents, images, and other media from their visitors. Tracked officially as CVE-2026-0740, this unauthenticated arbitrary file upload vulnerability carries a maximum critical CVSS score of 9.8. With an estimated 50,000…
Critical Dgraph Database Flaw Allowed Attackers to Bypass Authentication

Apr 6, 2026 10:51 AM

Tags: authentication, cve, cvss, cyber, data-breach, flaw, open-source, vulnerability

A newly discovered critical vulnerability in the open-source Dgraph database system leaves servers exposed to complete system takeovers. Tracked as CVE-2026-34976 and carrying a maximum CVSS score of 10.0, this missing authorization flaw allows remote, unauthenticated attackers to overwrite databases, read sensitive server files, and launch Server-Side Request Forgery (SSRF) attacks. Currently, all Dgraph versions…