432 articles
CISA adds CVE-2024-57728 to Known Exploited Vulnerabilities: SimpleHelp path traversal via zip slip allows admin users to upload arbitrary files and execute code. Due May 8, 2026.
CISA adds CVE-2025-2749 to KEV catalog: Kentico Xperience path traversal lets authenticated Staging Sync Server upload arbitrary files. Due date for federal agencies: May 4, 2026.
CVE-2026-8741 (CVSS 3.1) enables remote exploitation of a race condition in EMQX's QoS 2 PUBLISH packet handler, affecting all versions up to 6.2.0.
An attacker used a compromised GitHub token to download Grafana's entire private codebase. The company says no customer data was accessed and the incident involved an extortion...
CVE-2021-47942 (CVSS 7.5) in Home Assistant Community Store 1.10.0 lets unauthenticated attackers read .storage/auth files via /hacsfiles/ traversal, forge JWT tokens, and gain...
CVE-2026-8743 (CVSS 6.5) in Open5GS up to 2.7.6 lets remote attackers bypass authorization via the AMF/MME ranuefindbyamfuengap_id function. Exploit public.
CVE-2026-8731 (CVSS 4.3) in Open5GS up to 2.7.7 lets remote attackers trigger a denial-of-service via the NRF component's SBI client_pool argument. Exploit code is public.
Google Project Zero found a Pixel 10 VPU driver flaw allowing userspace to map arbitrary physical memory, including the kernel image. Exploit required 5 lines of code.
CVE-2026-8738 (CVSS 6.5) in Sanluan PublicCMS 5.202506.d lets remote attackers manipulate the trade payment flow via business logic errors in TradeOrderController.pay.
AI agents now discover and exploit obscure vulnerabilities autonomously, while AI-generated code floods pipelines with flaws. Defenders must adapt to agent-scale threats.
CVE-2026-4782 and CVE-2026-4798 in Avada Builder (1M+ installs) let attackers read wp-config.php and extract database hashes. Patch to version 3.15.3.
CVE-2026-8573 (CVSS 8.3) and CVE-2026-8577 (CVSS 8.8) in Chrome 148 on Windows allow sandbox escape and RCE via crafted video or HTML pages. Update now.
