Tag: flaw
-
Critical sandbox bypass fixed in popular Thymeleaf Java template engine
new keyword followed by an ASCII space, T (Spring Expression Language type references) and @ (SpEL bean references in some code paths). However, the check only looked for ASCII space 0x20 characters, but the SpEL’s parser also accepts tab (0x09), newline (0x0A), and other control characters between new and the class name.Another policy blocked classes…
-
We Need a Shared Responsibility Model for AI
Over the past 6-8 months, researchers at my company discovered vulnerabilities across multiple AI tools that allowed external bad actors to steal data, exploit AI browsers, or poison the core memories of AI systems. As we responsibly disclosed these flaws, we found that AI vendors almost universally told us, “It’s not our problem.” In their..…
-
We Need a Shared Responsibility Model for AI
Over the past 6-8 months, researchers at my company discovered vulnerabilities across multiple AI tools that allowed external bad actors to steal data, exploit AI browsers, or poison the core memories of AI systems. As we responsibly disclosed these flaws, we found that AI vendors almost universally told us, “It’s not our problem.” In their..…
-
Clothing Retailer Patches Website Flaw Exposing Customer Data
A clothing retailer patched a website flaw that exposed customer data via order links, highlighting risks associated with predictable URL structures. The post Clothing Retailer Patches Website Flaw Exposing Customer Data appeared first on TechRepublic. First seen on techrepublic.com Jump to article: www.techrepublic.com/article/news-clothing-retailer-data-exposure-order-link-flaw/
-
Hackers are abusing unpatched Windows security flaws to hack into organizations
A security researcher published details of three security vulnerabilities in Windows Defender, and the code used to exploit them. Now, hackers are taking advantage of the vulnerabilities in real-life attacks, according to a cybersecurity firm. First seen on techcrunch.com Jump to article: techcrunch.com/2026/04/17/hackers-are-abusing-unpatched-windows-security-flaws-to-hack-into-organizations/
-
Bank cyber teams on red alert as Anthropic promises them Mythos next week
Artificial intelligence supplier promises UK banks opportunity to review AI model, which has already revealed thousands of security flaws First seen on computerweekly.com Jump to article: www.computerweekly.com/news/366641763/Bank-cyber-teams-on-red-alert-as-Anthropic-promises-them-Mythos-next-week
-
TP-Link routers face exploitation attempt linked to high-severity flaw
Researchers warn a potential botnet is targeting a vulnerability in end-of-life devices.; First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/tp-link-routers-exploitation-high-severity-flaw/817831/
-
Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems.The activity involves the exploitation of three vulnerabilities that are codenamed BlueHammer (requires GitHub sign-in), RedSun, and UnDefend, all of which were released as zero-days by a researcher known as Chaotic Eclipse (…
-
CVE-2026-34197: Apache ActiveMQ Jolokia RCE Vulnerability
CVE-2026-34197: ActiveMQ Jolokia flaw enables authenticated RCE, exposing sensitive data, credentials, and integrated systems across enterprise environments. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/04/cve-2026-34197-apache-activemq-jolokia-rce-vulnerability/
-
Another Microsoft Defender privilege escalation bug emerges days after patch
Second Defender-based LPE in days: The Defender flaw addressed earlier this week as part of Patch Tuesday was one of the two zero-day bugs Microsoft fixed, and it also allowed local privilege escalation stemming from “insufficient granularity of access control.”While Microsoft attributed the discovery of the flaw, tracked as CVE-2026-33825, to security researcher Zen Dodd,…
-
CISA flags Apache ActiveMQ flaw as actively exploited in attacks
CISA warned that attackers are now exploiting a high-severity Apache ActiveMQ vulnerability, which was patched earlier this month after going undetected for 13 years. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/cisa-flags-apache-activemq-flaw-as-actively-exploited-in-attacks/
-
PoC Released for FortiSandbox Flaw Enabling Arbitrary Command Execution
A proof-of-concept (PoC) exploit has been publicly released for a critical security flaw in Fortinet’s FortiSandbox. Tracked as CVE-2026-39808, this severe vulnerability allows an unauthenticated attacker to execute arbitrary commands on the underlying operating system with the highest level of privileges. Security researcher Samuel de Lucas recently published the exploit details on GitHub, highlighting the…
-
Locked-out iPhone user tells The Reg that Apple is scrambling to fix character flaw passcode bug
University student says he plans to move to Android, but concedes iOS engineers acting fast First seen on theregister.com Jump to article: www.theregister.com/2026/04/17/iphone_keyboard_error_fix/
-
Inside ZionSiphon: politically driven malware aims at Israeli water systems
New ZionSiphon malware targets water systems, and allows attackers to alter pressure and chlorine levels. A flaw makes it ineffective for now. Darktrace analyzed ZionSiphon, a new malware designed to target water treatment and desalination systems, which aims to disrupt operations by altering hydraulic pressure and increasing chlorine levels to unsafe levels. The malware combines…
-
Inside ZionSiphon: politically driven malware aims at Israeli water systems
New ZionSiphon malware targets water systems, and allows attackers to alter pressure and chlorine levels. A flaw makes it ineffective for now. Darktrace analyzed ZionSiphon, a new malware designed to target water treatment and desalination systems, which aims to disrupt operations by altering hydraulic pressure and increasing chlorine levels to unsafe levels. The malware combines…
-
Inside ZionSiphon: politically driven malware aims at Israeli water systems
New ZionSiphon malware targets water systems, and allows attackers to alter pressure and chlorine levels. A flaw makes it ineffective for now. Darktrace analyzed ZionSiphon, a new malware designed to target water treatment and desalination systems, which aims to disrupt operations by altering hydraulic pressure and increasing chlorine levels to unsafe levels. The malware combines…
-
Critical nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover
A critical vulnerability identified as CVE-2026-33032 is drawing urgent attention from the cybersecurity community due to its role in enabling a full-scale Nginx server takeover. The flaw affects nginx-ui, a widely used open-source web interface designed to simplify the management of Nginx servers. Since its disclosure, evidence has confirmed that attackers are already exploiting the issue in real-world scenarios.…
-
Critical Flowise Flaw Enables Remote Command Execution via MCP Adapters
OX Security researchers have uncovered a critical, systemic vulnerability built directly into the architecture of Anthropic’s Model Context Protocol (MCP). As the industry standard for AI agent communication, this foundational flaw exposes systems to Arbitrary Command Execution (RCE). Attackers who exploit this vulnerability can seize complete control of affected MCP implementations, gaining direct access to…
-
U.S. CISA adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Apache ActiveMQ, tracked as CVE-2026-34197 (CVSS score of 8.8), to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2026-34197 is a critical flaw in Apache ActiveMQ caused by…
-
U.S. CISA adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Apache ActiveMQ, tracked as CVE-2026-34197 (CVSS score of 8.8), to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2026-34197 is a critical flaw in Apache ActiveMQ caused by…
-
U.S. CISA adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Apache ActiveMQ, tracked as CVE-2026-34197 (CVSS score of 8.8), to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2026-34197 is a critical flaw in Apache ActiveMQ caused by…
-
EU Age Verification App Breached in Just 2 Minutes, Researchers Claim
A highly anticipated European Union Age Verification application has come under heavy scrutiny after a security researcher demonstrated how to bypass its core protections in less than two minutes. The application, recently praised by EU officials for its robust privacy standards, contains severe cryptographic and design flaws that allow attackers to easily hijack user identity…
-
Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation
A recently disclosed high-severity security flaw in Apache ActiveMQ Classic has come under active exploitation in the wild, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA).To that end, the agency has added the vulnerability, tracked as CVE-2026-34197 (CVSS score: 8.8), to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian First seen on thehackernews.com…
-
Anthropic won’t own MCP ‘design flaw’ putting 200K servers at risk, researchers say
Bug or feature? First seen on theregister.com Jump to article: www.theregister.com/2026/04/16/anthropic_mcp_design_flaw/
-
Anthropic won’t own MCP ‘design flaw’ putting 200K servers at risk, researcher says
Bug or feature? First seen on theregister.com Jump to article: www.theregister.com/2026/04/16/anthropic_mcp_design_flaw/
-
Cisco fixed four critical flaws in Identity Services and Webex
Cisco fixed four critical flaws in Identity Services and Webex that could allow code execution and user impersonation. Cisco has addressed four critical vulnerabilities affecting its Identity Services and Webex platforms. The flaws could allow attackers to execute arbitrary code and impersonate any user within the affected services. The issues pose serious security risks, prompting…
-
Critical MCP Integration Flaw Puts NGINX at Risk
Attackers can abuse the near-maximum severity flaw in nginx-ui to restart, create, modify, and delete NGINX configuration files. First seen on darkreading.com Jump to article: www.darkreading.com/application-security/critical-mcp-integration-flaw-nginx-risk
-
CVE-2026-33032: severe nginx-ui bug grants unauthenticated server access
An actively exploited critical nginx-ui flaw (CVE-2026-33032) lets attackers bypass authentication and take full control of Nginx servers. A critical vulnerability in nginx-ui, tracked as CVE-2026-33032 (CVSS score of 9.8), is being actively exploited, allowing attackers to bypass authentication and fully take over Nginx servers. The issue stems from improper protection of the /mcp_message endpoint,…
-
Microsoft, Salesforce Patch AI Agent Data Leak Flaws
Two recently fixed prompt injections in Salesforce Agentforce and Microsoft Copilot would have enabled an external attacker to leak sensitive data. First seen on darkreading.com Jump to article: www.darkreading.com/cloud-security/microsoft-salesforce-patch-ai-agent-data-leak-flaws
-
U.S. CISA adds Microsoft SharePoint Server, and Microsoft Office Excel flaws to its Known Exploited Vulnerabilities catalog
Tags: apple, cisa, cybersecurity, exploit, flaw, infrastructure, kev, microsoft, office, vulnerabilityU.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft SharePoint Server, and Microsoft Office Excel flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA)added Apple, Laravel Livewire and Craft CMS flaws to its Known Exploited Vulnerabilities (KEV) catalog. Below are the flaws added to the catalog: The first vulnerability…