Articles

aria2c EKU Validation Flaw CVE-2026-8367 Enables TLS Certificate

CVE-2026-8367 (CVSS 4.8) in aria2c fails to validate Extended Key Usage on server certificates, allowing attackers to reuse certificates issued for other purposes in TLS...

CVE-2026-8367

CRITICAL

CVE-2026-8509CVE-2026-8510

Chrome 148 Patches 79 Flaws, 14 Critical Including Heap Overflow

Google's Chrome 148 update fixes 79 vulnerabilities, 14 critical — including heap buffer overflow CVE-2026-8509 ($43K bounty) and integer overflow CVE-2026-8510 in Skia ($25K...

4 min read

fast-xml-builder Flaw CVE-2026-44664 Enables XML Injection via

MEDIUM

CVE-2026-44664CVE-2026-41650

fast-xml-builder Flaw CVE-2026-44664 Enables XML Injection via

CVE-2026-44664 (CVSS 6.1) in fast-xml-builder lets attackers break out of XML comments and inject arbitrary content via triple-dash sequences; fixed in version 1.1.6.

4 min read

GitHub Copilot CLI Flaw CVE-2026-45033 Enables RCE via Malicious Repos

CRITICAL

5 min readGremlin Stealer

GitHub Copilot CLI Flaw CVE-2026-45033 Enables RCE via Malicious Repos

CVE-2026-45033 (CVSS 9.8) in GitHub Copilot CLI before 1.0.43 lets attackers achieve remote code execution by embedding a malicious bare git repository in a project directory.

Gremlin Stealer Evolves: Crypto Clipping, Session Hijacking, Packed

Unit 42 details a new Gremlin stealer variant using XOR-encrypted resource sections, crypto clipper, WebSocket session hijacking, and a commercial packer with instruction...

Lenovo Personal Cloud Storage Flaw CVE-2026-6282 Enables Lateral File

Lenovo Personal Cloud Storage Flaw CVE-2026-6282 Enables Lateral File

CVE-2026-6282 (CVSS 8.1) in Lenovo Personal Cloud Storage lets authenticated users move or access other users' files via improper path validation. No patch yet.

CVE-2026-6282

Libsixel Heap Overflow CVE-2026-44636 Lets Attackers Trigger RCE

Libsixel Heap Overflow CVE-2026-44636 Lets Attackers Trigger RCE

CVE-2026-44636 (CVSS 7.8): A signed integer overflow in libsixel 1.8.7-r1 and earlier lets attackers trigger a heap buffer overflow via crafted SIXEL images, enabling potential...

CVE-2026-44636

Metasploit Adds Vim Plugin Persistence, Exploits for Three CVEs

Tools & TechniquesMay 15, 2026

Metasploit Adds Vim Plugin Persistence, Exploits for Three CVEs

Rapid7's Metasploit Framework adds Vim plugin persistence, exploits for CVE-2025-6793 (Marvell QConvergeConsole), CVE-2024-48760 (GestioIP), and CVE-2023-30253 (Dolibarr).

CVE-2025-6793CVE-2024-48760CVE-2023-30253

Microsoft Warns of Exchange Zero-Day CVE-2026-42897 Exploited in

Microsoft Warns of Exchange Zero-Day CVE-2026-42897 Exploited in

CVE-2026-42897 is a high-severity Exchange Server spoofing flaw exploited in the wild, enabling XSS-based code execution via Outlook on the web.

CVE-2026-42897

4 min read

Next.js Patches Two Authorization Bypass Flaws in App Router

CVE-2026-44574CVE-2026-44575

Next.js Patches Two Authorization Bypass Flaws in App Router

CVE-2026-44574 (CVSS 8.1) and CVE-2026-44575 (CVSS 7.5) let attackers bypass middleware-based auth checks in Next.js App Router via crafted .rsc URLs and query parameter...

Next.js Patches XSS and DoS Flaws in Cache Components

CVE-2026-44580CVE-2026-44579

Next.js Patches XSS and DoS Flaws in Cache Components

CVE-2026-44580 (CVSS 6.1) enables XSS via beforeInteractive scripts; CVE-2026-44579 (CVSS 7.5) triggers connection exhaustion in Partial Prerendering.

OpenImageIO Integer Overflow CVE-2026-43908 Enables OOB Write

OpenImageIO Integer Overflow CVE-2026-43908 Enables OOB Write

CVE-2026-43908 (CVSS 8.8): A signed 32-bit integer overflow in OpenImageIO's ConvertCbYCrYToRGB() causes out-of-bounds writes, risking crashes or code execution in VFX pipelines.

CVE-2026-43908