All news with #vulnerability disclosure tag

🔒 An anonymous researcher known as “Nightmare Eclipse” has published several significant exploits targeting Microsoft Windows, including a vulnerability that defeats BitLocker. Microsoft has responded with threats of legal action, prompting public debate and recriminations between the company and security community. The situation has raised concerns about disclosure practices, researcher protections, and the balance between security research and corporate legal responses.

🔒 Oracle has issued its first monthly Critical Security Patch Update (CSPU), addressing 35 vulnerabilities that require more urgent attention than quarterly releases. The batch includes 11 critical, 18 high, and 6 medium severity flaws, with several affecting Oracle REST Data Services, Oracle E-Business Suite, and Oracle Payments. Some older supply-chain bugs have public proof-of-concept exploits, increasing patching urgency.

🛡️ Obsidian Security disclosed a critical RCE in the open-source AI workflow platform Flowise (CVE-2026-40933), enabling server takeover when a logged-in user imports a malicious chatflow. Self-hosted deployments are vulnerable by default; Flowise Cloud is not affected. The flaw stems from the Custom MCP tool launching user-supplied commands via stdio without sandboxing, and Flowise's input-validation patch can be bypassed.

🛡️ WP Maps Pro, a popular WordPress plugin, contains a critical privilege escalation vulnerability (CVE-2026-8732) that allows unauthenticated attackers to create administrator accounts and take over sites. The flaw affects all versions up to 6.1.0 and was fixed in 6.1.1. Security researcher David Brown reported the issue, and Wordfence has observed active exploitation attempts. Site owners must update immediately to mitigate ongoing attacks.

🛡️ A local privilege escalation named CIFSwitch in the Linux kernel allows forging of CIFS authentication key descriptions and abuse of the kernel key request flow, enabling root privilege escalation. The vulnerability affects kernels paired with vulnerable cifs-utils (6.14+) on several major distributions when user namespaces and permissive SELinux/AppArmor settings are present. The attacker can trigger a privileged cifs.upcall to trust attacker-controlled fields, force a namespace switch, and load a malicious NSS module before privilege drop. A kernel patch validating cifs.spnego request origins is available upstream; mitigations include disabling the CIFS module, removing cifs-utils, and disabling unprivileged user namespaces.

🛡️ Microsoft and a prominent researcher publicly traded barbs after the researcher, going by Nightmare Eclipse, published vulnerabilities he said were ignored; Microsoft countered that those disclosures were irresponsible and increased risk. The exchange included personal accusations, account deletions, and threats, prompting discussion within the security community about disclosure practices. Senior Microsoft staff signaled a review of processes while defenders on both sides highlighted valid concerns about communication, prioritization, and trust.

🔒 Two High-severity vulnerabilities in Notepad++ (CVE-2026-48778 and CVE-2026-48800, CVSS 7.8) let local attackers run arbitrary commands by tampering with the editor’s XML configuration files. Both issues affected versions up to 8.9.6 and were patched in 8.9.6.1 along with a lower-severity crash bug (CVE-2026-48770). The flaws stem from unvalidated values in shortcuts.xml and config.xml, enabling persistence and stealthy execution if an attacker can write to a user’s AppData or supply a poisoned settings folder.

🔒 A critical Remote Code Execution (RCE) flaw in Gogs, a self-hosted Git service, enables any authenticated user to execute arbitrary commands by creating a pull request with a malicious branch name that injects the --exec flag into git rebase. Rated 9.4 by Rapid7, the bug requires only a registered account on default instances and can be abused without admin privileges or other user interaction. Rapid7 published an exploit module and advises restricting registration and repository creation and auditing rebase merge settings.

🛡️ Microsoft has urged the security research community to follow Coordinated Vulnerability Disclosure (CVD) after a researcher publicly released details and exploit code for multiple Windows zero‑days, including issues in Defender and BitLocker. The company said several disclosed flaws were not shared with Microsoft before publication, exposing customers to unnecessary risk and prompting security teams to work continuously on protections and updates. Some of the disclosed flaws — BlueHammer, RedSun and UnDefend — are reported to be actively exploited in the wild, and vendor actions have included takedowns of the researcher’s GitHub account.

🔒 The advisory details a critical vulnerability in KMW CCTV Security Cameras that allows an unauthenticated attacker to reset the administrator password to a known value, granting full access to camera feeds and settings. Vendor firmware (KM-IP421) is available to address the issue, though it may require re-authorizing cloud P2P connections. CISA urges network segmentation, restricted internet access, regular firmware updates, and other defensive measures to reduce exposure.

🔍 This white paper examines DICOM parsing risks and demonstrates how malformed medical images can lead to heap overflow vulnerabilities during ingestion. It outlines a concrete case where an Orthanc server is targeted during image upload, producing an out-of-bounds write. The analysis highlights interactions between pydicom, GDCM, and Orthanc, and emphasizes the importance of robust parsing and hardening in PACS environments.

🔒 A single malformed character in a web request can allow unauthenticated attackers to bypass access controls in applications built on Starlette, the Python framework behind FastAPI. X41 D‑Sec disclosed the vulnerability (CVE‑2026‑48710) after finding it in a source‑code audit; Starlette’s maintainer released a patch via GitHub. The flaw stems from inconsistent parsing of the Host header when rebuilding request addresses, causing middleware to see a different path than the router. Researchers warn many model‑serving and AI infrastructure components are exposed unless a compliant reverse proxy rejects malformed Host headers.

🛡️ Cisco Talos disclosed four heap-based buffer overflow vulnerabilities in the MediaArea MediaInfoLib (v26.01) library, all of which can lead to arbitrary code execution when processing a malicious media file. The issues were found by Dimitrios Tatsis of Talos and have been patched by the vendor per Cisco’s third-party disclosure policy. Users can obtain Snort rules to detect exploitation and consult Talos for vulnerability advisories. Administrators should update MediaInfoLib to the vendor-released fixed versions promptly.

🔒 Researchers disclosed a vulnerability in Gitea that allowed unauthenticated remote attackers to pull private container images from affected deployments without credentials. Tracked as CVE-2026-27771, the issue affects all Gitea versions prior to 1.26.2, which contains the fix. Noscope estimates more than 30,000 deployments globally may be impacted, spanning healthcare, aerospace, retail, and ISPs. Users are advised to update to 1.26.2 or enable REQUIRE_SIGNIN_VIEW as a temporary mitigation.

🔔 ABB disclosed that several vulnerabilities exist in the VLC media player component delivered with older ABB Ability Camera Connect installers (≤ 1.5.0.14). An update (Camera Connect 1.5.0.15) and standalone VLC updates are available to remediate multiple memory-corruption and path-related issues. ABB notes that most deployments are air-gapped and isolated, which significantly reduces exposure and remote exploitability, but recommends applying updates at the earliest convenience.

🛡️ Researchers uncovered a large-scale campaign exploiting a critical SQL injection (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript that triggers ClickFix attack flows. More than 700 domains — including university portals, media outlets, fintech firms, and personal blogs — were affected. The flaw impacts Ghost 3.24.0 through 6.19.0 and allows unauthenticated actors to exfiltrate admin API keys. Administrators are urged to upgrade to 6.19.1+, rotate keys, and scan sites for injected scripts.

🛡️ Chromium contains an unpatched vulnerability that lets attackers keep a Service Worker alive across restarts and execute JavaScript persistently. Reported by researcher Lyra Rebane, the bug abuses the Background Fetch API and a race that creates and aborts background fetches to evade UI visibility. Although some UI fixes were applied in 2023, the deeper issue—preventing indefinite Service Worker lifetimes—remains unresolved and can enable tracking, crypto mining, and browser-based bots.

🔒 Cisco issued updates for a maximum-severity vulnerability (CVE-2026-20223) in Secure Workload that allows unauthenticated, remote access to REST API endpoints. The flaw permits crafted API requests to read sensitive data and change configurations across tenant boundaries with Site Admin privileges. Affected versions include Release 3.9 and earlier (migrate), 3.10 (fixed in 3.10.8.3), and 4.0 (fixed in 4.0.3.17). Cisco discovered the issue internally and reports no evidence of exploitation in the wild.

🔒 Researchers disclosed a critical vulnerability in ChromaDB (CVE-2026-45829) that allows unauthenticated attackers to execute arbitrary code and access sensitive data on affected servers. The flaw is a race condition in the FastAPI-based API server that fetches and executes remote embedding model code before performing authentication checks. HiddenLayer says versions 1.0.0 through 1.5.8 are affected and many public instances remain vulnerable; they recommend using the Rust implementation and restricting network access until a patch is available.

🛡️ Google inadvertently published details of an unfixed Chromium vulnerability that allows JavaScript to continue running after the browser is closed, enabling remote code execution via persistent Service Workers. Reported by researcher Lyra Rebane in December 2022, the issue affects all Chromium-based browsers and was marked fixed in February 2024 but a patch was not shipped. The bug tracker entry was briefly made public on May 20, revealing the exploit still works in Chrome Dev 150 and Edge 148, making attacks stealthier and increasing risk until an emergency fix is released.