Tag: vulnerability
-
Critical Splunk Enterprise Pre-Auth RCE Chain Exposes Databases
Tags: api, authentication, cve, cvss, cyber, flaw, rce, remote-code-execution, service, vulnerabilityA critical pre-authentication remote code execution (RCE) vulnerability in Splunk Enterprise has been disclosed, carrying a near-perfect CVSS score of 9.8. Tracked asCVE-2026-20253, the flaw was published by Splunk on June 10, 2026, and affects thePostgreSQL Sidecar Serviceintroduced in Splunk version 10. The root cause of CVE-2026-20253 lies in the PostgreSQL Sidecar Service’s HTTP API…
-
CISA gives agencies 3 days to patch maximum severity Ivanti vulnerability
First seen on scworld.com Jump to article: www.scworld.com/news/cisa-gives-agencies-3-days-to-patch-maximum-severity-ivanti-vulnerability
-
CISA gives agencies 3 days to patch maximum severity Ivanti vulnerability
First seen on scworld.com Jump to article: www.scworld.com/news/cisa-gives-agencies-3-days-to-patch-maximum-severity-ivanti-vulnerability
-
10-year-old phpBB vulnerability allows admin account takeover
Tags: vulnerabilityFirst seen on scworld.com Jump to article: www.scworld.com/brief/10-year-old-phpbb-vulnerability-allows-admin-account-takeover
-
Docker security scanner uses AI to help explain, fix vulnerabilities
First seen on scworld.com Jump to article: www.scworld.com/news/docker-security-scanner-uses-ai-to-help-explain-fix-vulnerabilities
-
PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data
Vulnerability in the Oracle-owned PeopleSoft software is about as critical as they come. First seen on arstechnica.com Jump to article: arstechnica.com/security/2026/06/peoplesoft-0-day-affecting-hundreds-of-organizations-steals-gigabytes-of-data/
-
U.S. CISA adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog and urges patching by June 14
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Ivanti Sentry flaw, tracked as CVE-2026-10520 (CVSS score of 10.0), to its Known Exploited Vulnerabilities (KEV) catalog. Ivanti Sentry is a secure gateway appliance that sits between an organization’s internal…
-
phpBB forum fixes auth bypass bug lurking for a decade
A 10-year-old authentication bypass vulnerability discovered in the phpBB forum software allows an attacker to log in as any user, including administrators. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/phpbb-forum-fixes-auth-bypass-bug-lurking-for-a-decade/
-
Oracle fixes PeopleSoft flaw exploited by ShinyHunters
A zero-day vulnerability affecting Oracle’s PeopleSoft products is being exploited by a ShinyHunters campaign targeting schools and universities. First seen on computerweekly.com Jump to article: www.computerweekly.com/news/366644375/Oracle-fixes-PeopleSoft-flaw-exploited-by-ShinyHunters
-
ShinyHunters is actively extorting universities after exploiting an unpatched Oracle flaw
Oracle still hasn’t patched the vulnerability the group has been using in its attacks since late May. First seen on cyberscoop.com Jump to article: cyberscoop.com/oracle-peoplesoft-zero-day-vulnerability-shinyhunters-extortion/
-
Openclaw durch Prompt-Injection in Nachrichtenobjekten angreifbar
Die Sicherheitsforscher von Thales haben Sicherheitslücken auf Basis von Prompt-Injection bei Openclaw gefunden. Diese Schwachstellen wurden dem Openclaw-Sicherheitsteam verantwortungsbewusst gemeldet und mit Version 2026.4.23 wurde ein entsprechender Fix bereitgestellt. Dennoch bleiben zwei Herausforderungen bestehen: Prompt-Injection ist ein branchenweit weitgehend ungelöstes Problem. Es gibt keinen Standard, der regelt, wie Messaging-Objekte serialisiert werden, bevor sie ein LLM…
-
Check Point beteiligt sich am ‘Trusted Access for Cyber”-Programm und an der ‘Daybreak”-Initiative von OpenAI
Check Point wurde als Mitglied des ‘Trusted Access for Cyber” (TAC)-Programms von OpenAI zugelassen und in OpenAIs Cybersicherheitsinitiative ‘Daybreak” aufgenommen. Die Bedrohungslandschaft wird von KI geprägt. Angreifer nutzen sie, um schneller zu agieren, Angriffe zu entwickeln und Schwachstellen in großem Umfang aufzudecken. IT-Sicherheitsexperten benötigen für die Absicherung ihrer IT-Umgebungen mindestens gleichwertige oder sogar stärkere Fähigkeiten.…
-
The Cyber Express Weekly Roundup: AI Security Controls, Major Patch Releases, Public Sector Audits, and Emerging Online Scams
Tags: ai, control, cyber, cybercrime, cybersecurity, governance, government, risk, risk-management, scam, technology, threat, update, vulnerabilityThis week’s cybersecurity developments highlight a growing emphasis on proactive security measures, governance oversight, and risk management across both public and private sectors. From large-scale vulnerability remediation efforts and AI security enhancements to government-led technology reviews and event-driven cybercrime campaigns, organizations continue to face a complex threat landscape. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/tce-weekly-roundup-cybersecurity-ai/
-
Oracle PeopleSoft RCE Flaw Used as Zero-Day in Ongoing ShinyHunters Campaign
Tags: advisory, breach, exploit, flaw, google, group, intelligence, mandiant, oracle, rce, remote-code-execution, threat, update, vulnerability, zero-dayShinyHunters exploited a critical Oracle PeopleSoft zero-day to breach over 100 organizations, mostly universities, before a patch was available. Mandiant and Google’s Threat Intelligence Group published an analysis of an active ShinyHunters campaign on June 11, one day after Oracle finally issued an advisory for the vulnerability being exploited. The gap matters: the activity ran…
-
Oracle PeopleSoft RCE Flaw Used as Zero-Day in Ongoing ShinyHunters Campaign
Tags: advisory, breach, exploit, flaw, google, group, intelligence, mandiant, oracle, rce, remote-code-execution, threat, update, vulnerability, zero-dayShinyHunters exploited a critical Oracle PeopleSoft zero-day to breach over 100 organizations, mostly universities, before a patch was available. Mandiant and Google’s Threat Intelligence Group published an analysis of an active ShinyHunters campaign on June 11, one day after Oracle finally issued an advisory for the vulnerability being exploited. The gap matters: the activity ran…
-
LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution
Cybersecurity researchers have disclosed details of three now-patched security flaws impacting LangGraph, including a critical vulnerability chain that could result in remote code execution.LangGraph is an open-source framework created by LangChain to build complex, stateful, and multi-agent artificial intelligence (AI) agentic applications.”An SQL injection in LangGraph’s function could First seen on thehackernews.com Jump to article:…
-
Attackers Can Exploit Microsoft Outlook and Word Flaws to Run Malicious Code
Microsoft has disclosed a set of critical remote code execution (RCE) vulnerabilities affecting Outlook and Word that could allow attackers to execute arbitrary code on targeted systems. The flaws, tracked as CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635, were released on June 9, 2026, and carry high severity ratings with CVSS scores of 8.4. Security researchers warn that…
-
Palo Alto PAN-OS Flaw Lets Attackers Run Arbitrary Commands With Root Privileges
Palo Alto Networks has released patches for three new PAN-OS vulnerabilities that could allow authenticated administrators or users to execute arbitrary commands with root privileges or force firewalls into repeated reboots, raising operational and security concerns for enterprises relying on PA-Series and VM-Series appliances. PAN-OS Root Command Injection via CLI and Web UI (CVE-2026-0273) CVE-2026-0273…
-
Microsoft Teams Android Flaw Could Let Attackers Disclose Sensitive Information
Microsoft has disclosed a high-severity information disclosure vulnerability affecting its Teams application for Android, tracked as CVE-2026-42835. The flaw, publicly released on June 9, 2026, has been assigned a CVSS v3.1 base score of 8.1, categorizing it as an “Important” severity issue. According to Microsoft’s advisory, the vulnerability stems from improper neutralization of special elements…
-
Researcher Uses AI to Hack Google, Earns $500,000 Bug Bounty
Tags: access, ai, api, attack, bug-bounty, control, cyber, flaw, framework, google, infrastructure, service, vulnerabilityResearcher Arvin Shivram has earned $500,000 in bug bounties from Google’s Vulnerability Reward Program (VRP) by deploying an AI-powered fuzzing framework against Google’s internal API infrastructure, uncovering critical access-control flaws across multiple high-impact services in under 3 months. The research began after Shivram was invited to bugSWAT Mexico in October 2025, which reignited his interest in Google’s attack surface. Recognizing that…
-
Researcher Uses AI to Hack Google, Earns $500,000 Bug Bounty
Tags: access, ai, api, attack, bug-bounty, control, cyber, flaw, framework, google, infrastructure, service, vulnerabilityResearcher Arvin Shivram has earned $500,000 in bug bounties from Google’s Vulnerability Reward Program (VRP) by deploying an AI-powered fuzzing framework against Google’s internal API infrastructure, uncovering critical access-control flaws across multiple high-impact services in under 3 months. The research began after Shivram was invited to bugSWAT Mexico in October 2025, which reignited his interest in Google’s attack surface. Recognizing that…
-
CISA Orders Federal Agencies to Patch Critical Vulnerabilities Within 3 Days
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Binding Operational Directive, BOD 26-04, mandating that federal civilian agencies remediate critical vulnerabilities within as little as 3 days, significantly tightening patching timelines in response to escalating cyber threats and rapid exploitation cycles. Announced on June 10, 2026, the directive introduces a risk-based vulnerability…
-
Oracle PeopleSoft Zero-Day RCE Vulnerability Exploited by ShinyHunters
Tags: cve, cvss, cyber, exploit, flaw, google, group, intelligence, mandiant, oracle, rce, remote-code-execution, threat, vulnerability, zero-dayA newly disclosed zero-day vulnerability in Oracle PeopleSoft is being actively exploited by the ShinyHunters threat group, according to a joint investigation by Mandiant and Google Threat Intelligence Group (GTIG). Tracked as CVE-2026-35273 with a critical CVSS score of 9.8, the flaw affects the Environment Management component and enables unauthenticated remote code execution. Researchers confirmed…
-
Kritische Schwachstelle im NGINX-Rewrite-Modul – NGINX-Lücke von 2008 gefährdet Webserver weltweit
Tags: vulnerabilityFirst seen on security-insider.de Jump to article: www.security-insider.de/nginx-luecke-2008-rewrite-modul-codeausfuehrung-a-ca3e4df7dc5f945f1aaa445b10d63d76/
-
Researchers build autonomous AI worm that can reason and adapt
University of Toronto researchers created a proof-of-concept AI worm that dynamically identifies vulnerabilities and adapts its attack strategies. Here’s what it means for enterprises. First seen on techtarget.com Jump to article: www.techtarget.com/searchsecurity/news/366643829/Researchers-build-autonomous-AI-worm-that-can-reason-adapt
-
Oracle warns of security bug that hackers abused to breach 100+ companies
The tech giant warned of a security flaw that a cybercrime gang said it’s exploiting as part of a mass-hacking campaign. Google said it notified more than 100 organizations that had potentially vulnerable servers. First seen on techcrunch.com Jump to article: techcrunch.com/2026/06/11/oracle-warns-of-security-bug-that-hackers-abused-to-breach-100-companies/
-
Oracle mitigates PeopleSoft zero-day exploited in data theft attacks
Oracle is warning about a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026-35273 that allows unauthenticated remote code execution, with the flaw actively exploited in ShinyHunter data theft attacks. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/oracle-mitigates-peoplesoft-zero-day-exploited-in-data-theft-attacks/
-
Langflow Vulnerability CVE-2026-5027 Exploited for Unauthenticated RCE
A high-severity security flaw in Langflow, an open-source low-code platform to build artificial intelligence (AI) applications, has come under active exploitation in the wild, according to findings from VulnCheck.The vulnerability in question is CVE-2026-5027 (CVSS score: 8.8), a case of path traversal that could allow an attacker to write files to arbitrary locations.”The ‘POST /api/v2/…
-
The Hidden Security Risks of Poor Software Testing
Poor Software Testing can expose hidden flaws, vulnerable dependencies and weak controls, increasing breach risks, downtime and costly fixes after release. First seen on hackread.com Jump to article: hackread.com/the-hidden-security-risks-of-poor-software-testing/
-
Established enterprise patching models dead in the water, says report
Vulnerability discovery and exploitation was surging dramatically even before Anthropic decided to unleash its frontier Mythos model. As such, an Action1 report finds old approaches to patching are no longer fit for purpose First seen on computerweekly.com Jump to article: www.computerweekly.com/news/366644134/Established-enterprise-patching-models-dead-in-the-water-says-report