Tag: vulnerability
-
38% of GitHub Actions Workflows Exposed to Script Injection Risks
Analysis has revealed that 38% of organizations are running GitHub Actions workflows vulnerable to script injection or unsafe trigger configurations, highlighting a growing risk in modern software supply chains. GitHub plays a central role in development pipelines by automating build, test, and deployment tasks through YAML-defined workflows and reusable actions. These workflows often run with…
-
38% of GitHub Actions Workflows Exposed to Script Injection Risks
Analysis has revealed that 38% of organizations are running GitHub Actions workflows vulnerable to script injection or unsafe trigger configurations, highlighting a growing risk in modern software supply chains. GitHub plays a central role in development pipelines by automating build, test, and deployment tasks through YAML-defined workflows and reusable actions. These workflows often run with…
-
Ivanti ITSM Flaw Could Allow Attackers to Escalate to Admin Access
Ivanti has patched a high-severity vulnerability in its Ivanti Neurons for ITSM platform that could allow authenticated attackers to escalate privileges and gain full administrative access to affected systems. Tracked as CVE-2026-9614, the flaw is classified as an improper access control issue (CWE-284) and carries a CVSS score of 8.8. The vulnerability affects both cloud…
-
Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes
Cybersecurity researchers have disclosed details of an unpatched issue that could be exploited to disclose a user’s NTLMv2 hash to the attacker.Like in the case of CVE-2026-33829, which impacted the Windows Snipping Tool’s ms-screensketch: URI handler, the newly flagged issue resides in the search: URI handler, per Huntress.CVE-2026-33829 refers to a spoofing vulnerability that could…
-
Google Patches Actively Exploited Android Flaw Affecting Millions of Devices
Google fixed 124 Android flaws, including CVE-2025-48595, an actively exploited privilege escalation bug linked to targeted attacks. Google has released its June 2026 Android security updates, fixing 124 vulnerabilities across the mobile operating system. One flaw, tracked as CVE-2025-48595 (CVSS score of 8.4) stands out from the rest because it is already being exploited in…
-
New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare
Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora.The vulnerability has been codenamed HTTP/2 Bomb by Calif.”The vulnerable behavior exists in each server’s default HTTP/2 configuration,” the company said, adding it was discovered by OpenAI Codex by chaining First seen on…
-
Windows Search URI Handler Vulnerability Exposes NTLMv2 Hashes to Remote Attackers
Windows systems are once again exposed to NTLM credential leakage through a newly observed abuse of the search, URI handler, a vulnerability class closely mirroring the previously patched CVE-2026-33829 in the Snipping Tool. Windows Search URI Handler Vulnerability Security researchers from Huntress have identified that the Windows search URI handler improperly processes user-supplied parameters, allowing attackers to coerce…
-
Infosecurity Europe: Patch Responsibility Remains Up for Grabs as AI Unearths Decades of Flaws
The emergence of AI models capable to autonomously find and fix vulnerabilities at scale is having a significant impact on patching management, experts say First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/patch-responsibility-ai-infosec/
-
VS Code zero-day lets hackers steal GitHub tokens in one click
A security researcher has released exploit code for a Visual Studio Code (VS Code) zero-day vulnerability that allows attackers to steal GitHub authentication tokens by tricking users into clicking a link. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/vs-code-zero-day-lets-hackers-steal-github-tokens-in-one-click/
-
1-Click GitHub Vulnerability Enables OAuth Token Theft
A newly disclosed vulnerability in GitHub’s browser-based editor, GitHub.dev, allows attackers to steal powerful OAuth tokens with just a single click, giving them read and write access to private repositories. The flaw exploits how Visual Studio Code (VSCode) webviews handle keyboard events and message passing, enabling a malicious repository to execute attacker-controlled actions inside the…
-
Cybersicherheit: Vier kritische Bedrohungen erfordern dringenden Handlungsbedarf
Mehrschichtige Sicherheitsstrategien können helfen, Bedrohungen durch Prompt-Injection-Angriffe, Deepfakes und Kompromittierung von KI-Anwendungen und Software-Lieferketten abzuwehren. Gartner, ein Unternehmen für Wirtschafts- und Technologieanalysen, hat vier kritische und schwer vorhersehbare Bedrohungen identifiziert, bei denen Angreifer derzeit einen deutlichen Vorteil haben und Schwachstellen in Unternehmen besonders erfolgreich ausnutzen können. Dazu zählen Deepfakes, die Kompromittierung von KI-Anwendungen, Prompt-Injection-Angriffe… First…
-
Microsoft MSRC Allegedly Declines Action on Dependency Confusion Vulnerability
Microsoft is facing scrutiny after reportedly declining to treat a critical dependency confusion vulnerability affecting Azure Portal assets as a security issue, despite a proof-of-concept exploit demonstrating remote code execution (RCE). Security researcher Wahid Fayad identified the issue while analyzing JavaScript assets served via portal.azure.com. The investigation revealed an internal Node.js dependency, FxInternal/NetDiagnostics, that was not…
-
Palo Alto Networks Sees AI Boom Driving Firewall Demand
CEO Nikesh Arora Says Agentic Workloads Generate Traffic Requiring Inspection. Palo Alto Networks said surging AI infrastructure investment and growing enterprise demand for AI governance are expanding cybersecurity spending, while false positives from advanced AI vulnerability tools underscore the continued need for human oversight. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/palo-alto-networks-sees-ai-boom-driving-firewall-demand-a-31849
-
Known vulnerabilities behind most application security incidents
Eight in ten organizations took an application security hit during the past year tied to a vulnerability their team had already cataloged, according to a survey of 902 IT and … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/06/03/csa-application-security-incidents/
-
Russian hackers exploit WinRAR vulnerability for data theft
First seen on scworld.com Jump to article: www.scworld.com/brief/russian-hackers-exploit-winrar-vulnerability-for-data-theft
-
Google releases June Android security patches addressing 124 vulnerabilities, including 1 zero-day
First seen on scworld.com Jump to article: www.scworld.com/brief/google-releases-june-android-security-patches-addressing-124-vulnerabilities-including-one-zero-day
-
CISA orders agencies to patch critical Oracle WebLogic Server vulnerability
First seen on scworld.com Jump to article: www.scworld.com/brief/cisa-orders-agencies-to-patch-critical-oracle-weblogic-server-vulnerability
-
Pretalx vulnerability allows account takeover and admin demotion
Tags: vulnerabilityFirst seen on scworld.com Jump to article: www.scworld.com/brief/pretalx-vulnerability-allows-account-takeover-and-admin-demotion
-
Critical vulnerability in WP Maps Pro allows rogue administrator account creation
Tags: vulnerabilityFirst seen on scworld.com Jump to article: www.scworld.com/brief/critical-vulnerability-in-wp-maps-pro-allows-rogue-administrator-account-creation
-
New CIFSwitch vulnerability allows Linux privilege escalation
First seen on scworld.com Jump to article: www.scworld.com/brief/new-cifswitch-vulnerability-allows-linux-privilege-escalation
-
PAN-OS authentication bypass bug added to list of exploited vulnerabilities
First seen on scworld.com Jump to article: www.scworld.com/news/pan-os-authentication-bypass-bug-added-to-list-of-exploited-vulnerabilities
-
Proofpoint targets exploited vulnerabilities with new active exploits protection
First seen on scworld.com Jump to article: www.scworld.com/news/proofpoint-targets-exploited-vulnerabilities-with-new-active-exploits-protection
-
Auditors Rip NIST Management of NVD Program
Auditors Accuse Agency of Mismanagement and Program Overlap. Management by the National Institute of Standards and Technology of a repository of vulnerability data came under sharp criticism from federal auditors who said the agency approached it with lack of strategic planning and decisive action. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/auditors-rip-nist-management-nvd-program-a-31848
-
Angreifer warten nicht damit, Schwachstellen auszunutzen
Zeit ist beim Patch-Management alles. Das Zeitfenster zwischen der Meldung einer Schwachstelle und dem Einsatz eines Softwareupdates ist entscheidend dafür, die Hacker fernzuhalten. First seen on it-daily.net Jump to article: www.it-daily.net/it-sicherheit/cybercrime/angreifer-schwachstellen-auszunutzen
-
Critical Kirki flaw exploited to hijack WordPress admin accounts
Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, including those belonging to administrators. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/critical-kirki-flaw-exploited-to-hijack-wordpress-admin-accounts/
-
Critical Kirki flaw exploited to hijack WordPress admin accounts
Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, including those belonging to administrators. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/critical-kirki-flaw-exploited-to-hijack-wordpress-admin-accounts/
-
Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited
Google on Monday released patches for 124 security vulnerabilities impacting its Android operating system for the month of June 2026, including one high-severity flaw in the Framework component that has come under active exploitation.Tracked as CVE-2025-48595 (CVSS score: 8.4), the security flaw has been described as a case of privilege escalation without requiring any user…
-
7 Best Vulnerability Scanning Tools Software in 2026
Compare the top vulnerability scanners in 2026. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/networks/vulnerability-scanning-tools/
-
Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine
The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation.Per Sekoia, the activity involves the weaponization of CVE-2025-8088, a path traversal flaw in WinRAR, to launch an HTML Application payload dubbed GammaPhish, which is then used…