Tag: flaw
-
1-Click ZITADEL Vulnerability Could Allow Full System Takeover
A critical Cross-Site Scripting (XSS) vulnerability has been discovered in ZITADEL, a popular open-source identity and access management platform. Tracked as CVE-2026-29191 with a Critical severity rating, this flaw resides in the platform’s login V2 interface, specifically within the /saml-post endpoint. It allows unauthenticated remote attackers to execute malicious JavaScript directly within a user’s browser. With a…
-
Nginx UI Vulnerabilities Let Attackers Download Full System Backups
A critical security flaw has been discovered in Nginx UI that allows unauthenticated threat actors to download and decrypt complete system backups. Tracked as CVE-2026-27944, this vulnerability carries a maximum critical severity score of 9.8 out of 10. The flaw exposes highly sensitive data, including user credentials, session tokens, and SSL private keys, putting entire…
-
Nginx UI Vulnerabilities Let Attackers Download Full System Backups
A critical security flaw has been discovered in Nginx UI that allows unauthenticated threat actors to download and decrypt complete system backups. Tracked as CVE-2026-27944, this vulnerability carries a maximum critical severity score of 9.8 out of 10. The flaw exposes highly sensitive data, including user credentials, session tokens, and SSL private keys, putting entire…
-
Hikvision Multiple Product Vulnerability Could Let Attackers Escalate Privileges
The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical security flaw affecting multiple Hikvision products to its Known Exploited Vulnerabilities (KEV) catalog. This urgent addition, made on March 5, 2026, serves as a stark warning to network defenders after federal authorities confirmed that threat actors are actively exploiting the bug in real-world…
-
Critical ExifTool Vulnerability Allows Malicious Images to Execute Code on macOS
Many users believe macOS is inherently resistant to malware, but a newly discovered vulnerability proves otherwise. Kaspersky’s Global Research and Analysis Team (GReAT) recently uncovered a critical flaw, tracked as CVE-2026-3102, within ExifTool. ExifTool is a widely popular open-source application and library for extracting and editing file metadata. If a macOS user processes a specially…
-
CISA Alerts Users to Actively Exploited Vulnerabilities Impacting macOS and iOS
Tags: apple, cisa, cyber, cybersecurity, exploit, flaw, infrastructure, kev, macOS, network, vulnerabilityThe Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding three actively exploited vulnerabilities affecting multiple Apple platforms. On March 5, 2026, CISA added these security flaws to its Known Exploited Vulnerabilities (KEV) catalog, requiring immediate attention from network defenders and system administrators. These vulnerabilities impact a wide range of Apple devices…
-
Critical Nginx UI flaw CVE-2026-27944 exposes server backups
Nginx UI flaw CVE-2026-27944 lets attackers download and decrypt server backups without authentication, exposing sensitive data on public management interfaces. A critical vulnerability in Nginx UI, tracked as CVE-2026-27944 (CVSS score of 9.8), allows attackers to download and decrypt full server backups without authentication. The flaw poses a serious risk to organizations exposing the management…
-
WordPress Plugin Flaw Lets Attackers Create Admin Accounts
A WordPress plugin flaw allows attackers to create administrator accounts and take over vulnerable sites. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/wordpress-plugin-flaw-lets-attackers-create-admin-accounts/
-
WordPress Plugin Flaw Lets Attackers Create Admin Accounts
A WordPress plugin flaw allows attackers to create administrator accounts and take over vulnerable sites. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/wordpress-plugin-flaw-lets-attackers-create-admin-accounts/
-
AWS-LC Flaws Could Bypass Certificate Verification
AWS disclosed vulnerabilities in its AWS-LC cryptographic library that could bypass certificate verification and expose timing weaknesses. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/aws-lc-flaws-could-bypass-certificate-verification/
-
Spyware Makers Topped Google’s List of Zero-Day Exploits for the First Time in 2025
For the first time, spyware makers topped Google’s list of organizations that exploited zero-day flaws in 2025, overtaking nation-state actors from China, Russia, and elsewhere and continuing a trends that Google researchers warned about two years ago. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/03/spyware-makers-in-2025-for-the-first-time-topped-googles-lists-of-zero-day-exploits/
-
CISA warns feds to patch iOS flaws exploited in crypto-theft attacks
CISA ordered U.S. federal agencies to patch three iOS security flaws targeted in cyberespionage and crypto-theft attacks using the Coruna exploit kit. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/cisa-warns-of-apple-flaws-exploited-in-spyware-crypto-theft-attacks/
-
Spyware Makers in 2025 for the First Time Topped Google’s Lists of Zero-Day Exploits
For the first time, spyware makers topped Google’s list of organizations that exploited zero-day flaws in 2025, overtaking nation-state actors from China, Russia, and elsewhere and continuing a trends that Google researchers warned about two years ago. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/03/spyware-makers-in-2025-for-the-first-time-topped-googles-lists-of-zero-day-exploits/
-
Nearly half of exploited zero-day flaws target enterprise-grade technology
A report by Google Threat Intelligence Group warns that AI will be used to speed and scale attacks in 2026. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/half-exploited-zero-day-flaws-enterprise-grade-technology/814021/
-
Cisco flags ongoing exploitation of two recently patched Catalyst SD-WAN flaws
Cisco warns that two recently patched Catalyst SD-WAN flaws, CVE-2026-20128 and CVE-2026-20122, are already being actively exploited in the wild. Cisco warned customers that threat actors are actively exploiting two recently patched Catalyst SD-WAN vulnerabilities, CVE-2026-20128 and CVE-2026-20122. The networking giant urged organizations to apply the latest security updates to reduce the risk of compromise.…
-
CISA warns of Apple flaws exploited in spyware, crypto-theft attacks
CISA ordered U.S. federal agencies to patch three iOS security flaws targeted in cyberespionage and crypto-theft attacks using the Coruna exploit kit. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/cisa-warns-of-apple-flaws-exploited-in-spyware-crypto-theft-attacks/
-
Cisco warns of two more SD-WAN bugs under active attack
Switchzilla says flaws could allow file overwrites or privilege escalation First seen on theregister.com Jump to article: www.theregister.com/2026/03/06/cisco_sdwan_bugs/
-
Cisco Patches 48 Firewall Vulnerabilities with Two CVSS 10 Flaws
Cisco patches 48 vulnerabilities in Secure Firewall products, including two critical CVSS 10 flaws that could allow authentication bypass and remote code execution. First seen on hackread.com Jump to article: hackread.com/cisco-patches-firewall-vulnerabilities-cvss-10-flaws/
-
AVideo Platform Vulnerability Allows Hackers to Hijack Streams via Zero-Click Command Injection
A highly critical security flaw has been disclosed in the AVideo platform, leaving media servers exposed to complete system takeover. Tracked as CVE-2026-29058, this zero-click, unauthenticated operating system command injection vulnerability allows hackers to hijack streams and remotely execute malicious shell commands. The flaw carries a maximum critical severity score of 9.8 out of 10.…
-
Apache ActiveMQ Flaw Enables DoS Attacks via Malformed Network Packets
Security researchers have uncovered a significant vulnerability in Apache ActiveMQ, a popular open-source message broker used by enterprises to route data between applications. Tracked as CVE-2025-66168, this security flaw allows malicious actors to trigger unexpected broker behavior and potential denial-of-service (DoS) conditions by sending specifically crafted, malformed network packets. A successful attack against a message…
-
U.S. CISA adds Apple, Rockwell, and Hikvision flaws to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple, Rockwell, and Hikvision flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple, Rockwell, and Hikvision flaws to its Known Exploited Vulnerabilities (KEV) catalog. Below are the flaws added to the catalog: CVE-2023-43000 is a use-after-free issue in the WebKit component. Apple…
-
Google GTIG: 90 zero-day flaws exploited in 2025 as enterprise targets grow
Google’s GTIG reports 90 zero-day vulnerabilities exploited in the wild in 2025, up from 78 in 2024, with a growing share targeting enterprise systems. Google’s Threat Intelligence Group (GTIG) identified 90 zero-day vulnerabilities exploited in the wild in 2025. While slightly below the 100 observed in 2023, the number increased from 78 in 2024, with…
-
AWS-LC Flaw Exposes Amazon Users to Attacks by Bypassing Certificate Chain Validation
Amazon issued a critical security bulletin (2026-005-AWS) detailing three high-severity vulnerabilities in AWS-LC, its open-source cryptographic library. Discovered through a coordinated disclosure process with the AISLE Research Team, these flaws pose a serious risk to cloud infrastructure. Developers rely heavily on AWS-LC as a general-purpose library to secure digital communications. Because of this widespread use,…
-
Zero-day exploits hit enterprises faster and harder
Tags: access, apple, attack, backdoor, business, china, cisco, cve, data, detection, endpoint, espionage, exploit, firewall, flaw, fortinet, google, group, hacker, infrastructure, ivanti, least-privilege, mobile, network, oracle, radius, ransomware, risk, router, russia, service, software, technology, threat, update, vpn, vulnerability, zero-dayEnterprise environments under siege: Chinese threat actors continued to display a preference for targets that are difficult to monitor and allow persistent access to strategic networks. Notable examples include the groups that GTIG tracks as UNC5221, which exploited a flaw in Ivanti Connect Secure (CVE-2025-0282) and UNC3886, which exploited a vulnerability in Juniper routers (CVE-2025-21590).Another…
-
Hikvision and Rockwell Automation CVSS 9.8 Flaws Added to CISA KEV Catalog
Tags: authentication, automation, cisa, cve, cvss, cybersecurity, exploit, flaw, infrastructure, kev, vulnerabilityThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting Hikvision and Rockwell Automation products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.The critical-severity vulnerabilities are listed below -CVE-2017-7921 (CVSS score: 9.8) – An improper authentication vulnerability affecting First seen on thehackernews.com Jump to article: thehackernews.com/2026/03/hikvision-and-rockwell-automation-cvss.html
-
WordPress Membership Plugin Flaw Lets Attackers Create Admin Accounts
A critical security vulnerability in the popular WordPress User Registration & Membership plugin allows unauthenticated attackers to easily create administrator accounts. The severe flaw, officially tracked as CVE-2026-1492, currently affects all plugin versions up to and including 5.1.2. Because it requires no prior authentication or user interaction to exploit, the vulnerability carries a maximum critical…
-
Cisco issues emergency patches for critical firewall vulnerabilities
root access to the device.”And CVE-2026-20131 is described thusly: “An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.”There are no workarounds for either…
-
Cisco issues emergency patches for critical firewall vulnerabilities
root access to the device.”And CVE-2026-20131 is described thusly: “An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.”There are no workarounds for either…
-
PleaseFix Flaw Lets Hackers Access 1Password Vault via Comet AI Browser
Researchers at Zenity Labs uncover PleaseFix flaws in Perplexity’s Comet browser. See how zero-click calendar invites allow AI agents to steal 1Password credentials and personal files. First seen on hackread.com Jump to article: hackread.com/pleasefix-flaw-hackers-1password-vault-comet-ai-browser/
-
Cisco Firewall Management Flaw Enables Remote Code Execution
Cisco disclosed a critical firewall management flaw that allows unauthenticated remote code execution. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/cisco-firewall-management-flaw-enables-remote-code-execution/