< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2054 articles · page 10 of 103

GitHub browser VSCode flaw risks stolen developer tokens

🛡️ A researcher disclosed a vulnerability in GitHub’s browser-based VSCode (github.dev) that could allow an attacker to obtain a developer’s OAuth token and access any repos the developer can reach. The issue involves github.com POSTing a broad-scoped token to github.dev and a bypass in Jupyter notebook-based extension installation that can exfiltrate the token. Microsoft implemented a short-term mitigation requiring notebook confirmation and restoring the trusted-publisher check.
read more →

Gemini notification injection risk on Android devices

🔔 A SafeBreach researcher demonstrated that a single malicious notification from apps like WhatsApp, Slack, SMS, Signal, Instagram, or Messenger could hijack Google Gemini's voice assistant on Android. The technique, called Fake Context Alignment, let notifications be treated as executable context, enabling fake replies, app launches, smart-home control, and even persistent memory poisoning. Google patched the issue server-side after being notified; Android users can disable Gemini's notification reading to mitigate exposure.
read more →

CISA alerts on active Android and Linux kernel exploits

🔒 CISA warns that threat actors are actively exploiting high-severity vulnerabilities in the Android Framework and the Linux kernel, now added to its Known Exploited Vulnerabilities catalog. Google confirms CVE-2025-48595 affects Android 14–16 and may be under limited targeted exploitation, addressed by June 2026 patches. The kernel flaw CVE-2022-0492 impacts multiple branches and can enable container escapes via cgroups v1, with fixes available in specified kernel releases. Federal agencies must remediate or mitigate by the June 5 deadline under BOD 22-01.
read more →

Microsoft 365 Android token-sharing vulnerability patched

🔒 A development flag left enabled in production builds of several Microsoft 365 Android apps bypassed the check that limits account-token sharing to trusted Microsoft apps. Any app on the same device could request the signed‑in user's FOCI token and access email, files, calendar, and messages without a password or prompt. Microsoft has released updates for affected apps; users and administrators should update or push fixes immediately.
read more →

Redis RCE Flaw CVE-2026-23479 and Cloud Risk

🔒 A two-year use-after-free vulnerability (CVE-2026-23479) in Redis 7.2.0 through older stable branches enabled authenticated remote code execution and was disclosed after Team Xint Code and Wiz published a full technical write-up. The flaw arises in unblockClientOnKey() where a freed client structure is reused, and the exploit chain leaks a heap pointer via Lua, forges a client, and corrupts memory accounting to overwrite a GOT entry. Default deployments and many cloud instances lacking passwords increase exposure; Redis released fixes on May 5 and recommends minor upgrades per series and tightened ACLs if immediate patching is not possible.
read more →

One-click GitHub.dev attack exposes OAuth tokens

🔒 Security researchers disclosed a one-click attack targeting GitHub.dev in the browser-hosted VS Code environment that can steal a user's GitHub OAuth token. The exploit abuses message passing between the main VS Code window and untrusted webviews to simulate keypresses, open the Command Palette, and install malicious extensions. By leveraging local workspace extensions and configurable keybindings, attackers can bypass trust prompts and extract tokens with access to private repositories. Microsoft has acknowledged the issue and is working on a fix; the vulnerability does not affect VS Code Desktop.
read more →

Acer warns of max-severity zero-days in Wave 7 routers

🛡️ Acer confirmed it's addressing two maximum-severity zero-day vulnerabilities in Wave 7 mesh routers. Reported by researcher Gergo Pap, both affect firmware T7c_GBL_1.01.000055 or earlier and permit remote, unauthenticated access to sensitive data and persistent backdoors. Acer plans firmware fixes by the end of June 2026 and urges users to update once patches are released and to disable or restrict remote management as a temporary mitigation.
read more →

Unpatched Windows search: URI leaks NTLMv2 hashes

🔒 Researchers disclosed an unpatched Windows issue that can expose a user's NTLMv2 hash via the search: URI handler. Similar to CVE-2026-33829 in the Snipping Tool, the flaw leverages a crumb=location: parameter to force an SMB connection and trigger NTLM authentication. The weakness produces the same Net-NTLMv2 leak and attack prerequisites, and Microsoft declined to patch it after responsible disclosure.
read more →

HTTP/2 Bomb: New Remote DoS Impacting Major Servers

🛡️ Cybersecurity researchers disclosed a remote denial-of-service exploit called HTTP/2 Bomb that affects major web servers including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The flaw leverages HPACK header compression combined with a zero-byte flow-control hold to amplify tiny on-wire headers into large server allocations. Vendors have released patches for some products and provided configuration mitigations for others while several popular implementations remain unpatched.
read more →

Two-year-old Oracle WebLogic flaw now actively exploited

🔒 US federal agencies were ordered to patch a two-year-old high-severity Oracle WebLogic Server vulnerability, CVE-2024-21182, after its addition to CISA’s Known Exploited Vulnerabilities catalog. The flaw affects supported versions 12.2.1.4.0 and 14.1.1.0.0 and was patched by Oracle in the July 2024 CPU. Security experts note that inclusion in the KEV indicates active weaponization and highlight persistent slow patching across organizations as a key risk.
read more →

Critical Kirki Flaw Lets Attackers Hijack WordPress

🔒 Defiant's Wordfence observed active exploitation of a critical privilege escalation bug (CVE-2026-8206) in the Kirki - Freeform Page Builder plugin, used on over 500,000 sites. The flaw, introduced in version 6.0.0 and present through 6.0.6, exposes a password reset endpoint that sends reset links to attacker-supplied emails, enabling account takeover. Vendor patched the issue in v6.0.7; site owners must update or disable the plugin immediately.
read more →

Critical HP Poly VoIP Flaw Enables Remote Root Access

🔒 HP has released patches for a critical buffer overflow in multiple IP conference phones in its Poly Voice line that can allow unauthenticated attackers to gain root on affected devices. The issue, tracked as CVE-2026-0826 and rated 9.2 CVSS, stems from SDP parsing when the ICE feature is enabled; administrators are advised to disable ICE if not needed. Rapid7 researchers released a Metasploit exploit demonstrating the vulnerability, and HP has issued UCS updates to remediate the affected VVX and Trio models.
read more →

Google June 2026 Android security updates

🔒 Google released June 2026 security patches addressing 124 Android vulnerabilities, including a high-severity Framework flaw tracked as CVE-2025-48595 affecting Android 14–16 and 16 QPR2. This privilege escalation bug can be exploited without user interaction and is reportedly under limited targeted exploitation. The June updates arrive in two batches, with the latter adding kernel and chipset fixes from MediaTek, Qualcomm, Unisoc, and others.
read more →

CISA Adds Oracle WebLogic CVE-2024-21182 to KEV

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Oracle WebLogic vulnerability, CVE-2024-21182 (CVSS 7.5), to its Known Exploited Vulnerabilities Catalog after evidence of active exploitation. The flaw permits unauthenticated network attackers to compromise servers via T3 and IIOP protocols and was patched by Oracle in July 2024. Federal agencies are urged to apply fixes by June 4, 2026, to protect critical data and systems.
read more →

CISA orders federal patch for WebLogic zero-day

🛡️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to patch an actively exploited Oracle WebLogic vulnerability, CVE-2024-21182, by June 4 under BOD 22-01. The flaw affects Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0 and enables unauthenticated remote compromise via T3/IIOP. Shodan reports over 1,592 exposed and vulnerable WebLogic instances, and CISA urges all organizations to apply vendor mitigations or discontinue use if fixes are unavailable.
read more →

CISA and Partners Urge Hardening of ATG Systems

🔒 The Cybersecurity and Infrastructure Security Agency (CISA), alongside multiple federal partners, warns of malicious cyber activity targeting internet-exposed automatic tank gauge (ATG) systems used across energy, chemical, food and agriculture, and transportation sectors. The advisory outlines observed tactics—such as authentication bypass, command execution, and privilege escalation—and urges owners to remove ATG devices from public internet exposure, apply patches, enforce strong credentials, and monitor device logs. It also lists reporting contacts and mitigation resources.
read more →

Google issues June 2026 Android security patches

🔒 Google released the June 2026 Android security updates fixing 124 vulnerabilities, including one actively exploited Android Framework zero-day (CVE-2025-48595) affecting devices running Android 14 and later. The company warned of limited, targeted exploitation and urged users to update to the latest Android versions. Two patch bundles (2026-06-01 and 2026-06-05) were issued; Pixel devices will receive updates immediately while other vendors may delay. Google also addressed 18 critical flaws across System, Framework, and Qualcomm components, and previously patched other zero-days this year.
read more →

Critical RCE in Flowise's Custom MCP Tool Revealed

🛡️ Obsidian Security disclosed a critical RCE in the open-source AI workflow platform Flowise (CVE-2026-40933), enabling server takeover when a logged-in user imports a malicious chatflow. Self-hosted deployments are vulnerable by default; Flowise Cloud is not affected. The flaw stems from the Custom MCP tool launching user-supplied commands via stdio without sandboxing, and Flowise's input-validation patch can be bypassed.
read more →

Critical Windows Netlogon RCE Flaw Now Exploited

🔒 The Centre for Cybersecurity Belgium (CCB) warned that threat actors are exploiting a recently patched critical Windows Netlogon vulnerability (CVE-2026-41089). Microsoft patched the stack-based buffer overflow during May 2026 Patch Tuesday, which can allow unauthenticated remote code execution on domain controllers. The CCB urged administrators to apply updates immediately, noting a CVSS score of 9.8, while Microsoft has not yet confirmed active exploitation.
read more →

Flowise MCP flaw enables single-click remote code execution

🔒 Researchers at Obsidian Security disclosed a near-max severity remote code execution flaw in self-hosted Flowise deployments tied to its Model Context Protocol (MCP) stdio server implementation. The issue stems from Flowise allowing attacker-controlled MCP stdio configurations that execute arbitrary OS commands, enabling one-click post-auth RCE via malicious chatflow imports. Flowise Cloud is unaffected, but self-hosted instances should review and potentially disable stdio MCP or apply strict mitigations.
read more →