< ciso
brief />
Tag Banner

All news with #vulnerability disclosure tag

573 articles · page 10 of 29

Weekly Recap: PDF Zero-Day, AI Exploits, Fiber Spying

🔔 Emergency updates address a critical PDF zero‑day in Adobe Acrobat Reader (CVE-2026-34621, CVSS 8.6) that executes malicious JavaScript when specially crafted documents are opened. The report also highlights Anthropic's Mythos being used as an exploit-generation engine, state-linked interference with infrastructure, and research showing telecom optical fibers can be abused for acoustic eavesdropping. Prioritize patching, credential hygiene, and detection for fileless and AI-driven attacks.
read more →

CISA Adds Seven Vulnerabilities to KEV Catalog, 2026

🔔 CISA added seven vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation, affecting Microsoft, Adobe, and Fortinet products. The CVEs cover insecure library loading, use‑after‑free, deserialization, out‑of‑bounds read, link following, SQL injection, and prototype pollution. Under BOD 22‑01, Federal Civilian Executive Branch agencies must remediate KEV entries by required dates, and CISA urges all organizations to prioritize timely remediation as part of routine vulnerability management.
read more →

Critical Marimo Pre-Auth RCE Now Under Active Exploitation

⚠️ A critical pre-auth remote code execution (RCE) in Marimo (CVE-2026-39987) permits unauthenticated access to an interactive shell via the /terminal/ws WebSocket endpoint in versions 0.20.4 and earlier. Sysdig observed exploitation beginning within 10 hours of the public disclosure, with attackers quickly harvesting .env files, cloud credentials and SSH keys. Marimo released v0.23.0 to patch the issue; users should upgrade immediately, restrict external access, monitor WebSocket connections, and rotate any exposed secrets.
read more →

13-Year-Old Remote Code Execution in ActiveMQ Classic

⚠️ Researchers disclosed a critical remote code execution flaw in Apache ActiveMQ Classic that remained undetected for 13 years and can allow arbitrary system command execution. Tracked as CVE-2026-34197 with a CVSS score of 8.8, the bug affects Classic releases before 5.19.4 and 6.0.0 through 6.2.3; fixes were released in 5.19.4 and 6.2.3. Administrators should apply the updates, review Jolokia access controls, and inspect broker logs for indicators of compromise.
read more →

Critical File Upload Flaw in Ninja Forms (WordPress)

⚠ A critical arbitrary file upload vulnerability has been identified in the Ninja Forms – File Upload Plugin for WordPress, impacting versions up to 3.3.26 and rated CVSS 9.8. The flaw allows unauthenticated attackers to upload malicious files (including .php), bypass validation, and achieve remote code execution. Wordfence validated the report after it was disclosed on January 8, 2026, and the developer issued a complete patch in version 3.3.27 on March 19; administrators should update immediately.
read more →

CISA Adds Ivanti EPMM Code Injection CVE to KEV Catalog

⚠️ CISA has added CVE-2026-1340, a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The agency notes that code injection is a common, high-risk attack vector with significant implications for federal networks. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate identified KEV entries by the required deadlines, and CISA urges all organizations to prioritize timely fixes to reduce exposure.
read more →

Anthropic unveils Project Glasswing to find critical bugs

🔍 Anthropic has launched Project Glasswing, an initiative that uses Claude Mythos Preview to autonomously locate and remediate undiscovered cybersecurity vulnerabilities in critical software. The private model — described by Anthropic as highly capable for coding and agentic tasks — was tested with launch partners including AWS, Google and Microsoft and reportedly found thousands of previously unidentified zero-day flaws. Anthropic committed up to $100m in usage credits and $4m in donations to support open-source security while keeping Mythos Preview restricted to defenders with guardrails.
read more →

Critical RCE Flaw in Ninja Forms File Uploads Plugin

⚠️ A critical vulnerability in the Ninja Forms File Uploads premium add-on (identified as CVE-2026-0740) allows unauthenticated attackers to upload arbitrary files, including PHP, enabling remote code execution. Wordfence reports active exploitation and has blocked thousands of attempts. The flaw affects versions up to 3.3.26; the vendor issued a full fix in 3.3.27 on March 19. Users of the File Upload extension should upgrade immediately and apply available mitigations.
read more →

Active Exploitation of Critical Flowise RCE (CVE-2025-59528)

🔴 New findings show threat actors are actively exploiting a maximum-severity code injection flaw in Flowise (CVE-2025-59528) that can lead to remote code execution. The issue stems from the CustomMCP node executing user-supplied JavaScript in the mcpServerConfig string, granting access to sensitive Node.js modules and full runtime privileges. Flowise released a fix in the npm package v3.0.6; affected deployments should upgrade immediately. VulnCheck reports exploitation activity originating from a single Starlink IP and warns of 12,000+ internet-exposed instances.
read more →

Internet Bug Bounty Pauses Payouts Amid AI Advances

🛑 The Internet Bug Bounty program, administered by HackerOne and backed by multiple major software companies, has paused submissions and payouts while it reassesses how best to support open source security. HackerOne said the rise of AI-assisted vulnerability discovery has increased both coverage and speed, shifting the balance between new findings and remediation capacity. Projects such as Node.js will continue to accept and triage reports via HackerOne but may not issue rewards from the paused fund. Similar changes have hit other programs, including curl and recent restrictions at Google's open source rewards effort.
read more →

Apple Extends iOS 18 Security Patches for DarkSword

🔒 Apple has widened rollout of iOS 18.7.7 and iPadOS 18.7.7 to more devices, enabling users who remain on iOS 18 to receive critical fixes without upgrading to iOS 26. The broadened distribution, announced on April 1, addresses vulnerabilities exploited by the DarkSword exploit kit in web-based watering‑hole attacks. Devices with automatic updates will be patched automatically; others can update manually. Researchers warn the toolkit has been linked to multiple threat actors and to payloads such as GhostBlade, GhostKnife and GhostSaber, and that a public leak raises the risk of wider abuse.
read more →

CISA Adds One Known-Exploited Vulnerability to KEV Catalog

⚠️ CISA has added CVE-2026-3502 to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. The vulnerability affects the TrueConf client and permits downloaded code to be executed without an integrity check, increasing the risk that attackers can deliver tampered or malicious payloads. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the required deadline; CISA strongly urges all organizations to prioritize timely remediation and strengthen routine vulnerability management.
read more →

CISA Adds CVE-2026-5281 to Known Exploited Vulnerabilities

🔔 CISA has added CVE-2026-5281, a Google Dawn use-after-free vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The listing invokes BOD 22-01 remediation requirements for Federal Civilian Executive Branch agencies, which must remediate by the specified due date. CISA strongly urges all organizations to prioritize timely remediation and strengthen vulnerability management, as use-after-free flaws are a common and impactful attack vector.
read more →

Open VSX Flaw Allowed Malicious VS Code Extensions Live

🛡️ Researchers disclosed a patched bug in Open VSX's pre-publish scanning pipeline that allowed a malicious VS Code extension to pass vetting and go live. The defect, named Open Sesame, arose because a Java service returned a single boolean that conflated 'no scanners configured' with 'scanner failures,' causing failed scans to be treated as harmless. The vulnerability was fixed in Open VSX 0.32.0 after responsible disclosure.
read more →

CISA Warns: Critical Langflow RCE (CVE-2026-33017)

🔴 CISA warns that a critical code-injection vulnerability, CVE-2026-33017, in the Langflow AI workflow framework is being actively exploited for remote code execution. The flaw impacts Langflow versions 1.8.1 and earlier and can be triggered with a single crafted HTTP request due to unsandboxed flow execution, allowing attackers to build public flows without authentication. Administrators should upgrade to Langflow 1.9.0, disable or restrict the vulnerable endpoint, rotate keys and secrets, and avoid exposing Langflow directly to the internet. CISA added the issue to its Known Exploited Vulnerabilities list and set an April 8 deadline for agencies covered by BOD 22-01.
read more →

Talos: Critical Bugs Found in Canva, TP-Link, HikVision

🔒 Cisco Talos disclosed multiple vulnerabilities impacting Canva Affinity, TP-Link Archer AX53, and HikVision face recognition terminals. Researchers identified 19 EMF-related issues in Canva Affinity, including out-of-bounds reads and a type confusion that can lead to memory corruption and arbitrary code execution. TP-Link’s AX53 contains 10 vulnerabilities across tmpServer, tdpServer and SSH hostkey handling that range from buffer overflows to write-what-where flaws and credential exposure via MITM. A HikVision SADP XML parser stack-based buffer overflow can be triggered by a malicious network packet. All identified issues have been patched following coordinated disclosure; users should apply vendor updates and consider Snort rule coverage for detection.
read more →

Researchers Warn of Rising AI-Generated Code Vulnerabilities

⚠️ Georgia Tech researchers warn that AI-assisted 'vibe coding' is producing measurable security flaws in real projects. The Vibe Security Radar traced at least 35 new CVEs in March 2026 and reports 74 confirmed AI-related vulnerabilities to date, while estimating the true count in open source may be five to ten times higher. The team monitors roughly 50 tools and uses metadata and AI agents to map vulnerable commits back to assistants such as Claude Code, noting some tools leave no trace.
read more →

Claude Chrome Extension Flaw Allowed Silent Prompting

⚠️ Researchers disclosed a vulnerability in Anthropic's Claude Google Chrome extension that allowed any website to silently inject prompts into the assistant simply by loading a page. Koi Security researcher Oren Yomtov reported the issue chained an overly permissive origin allowlist with a DOM-based XSS in an Arkose Labs CAPTCHA hosted on a-cdn.claude.ai. Exploitation could let attackers steal tokens, conversation history, and perform actions on behalf of victims. Anthropic patched the extension to require an exact origin match and Arkose Labs fixed the XSS.
read more →

Critical CLI Escape in WAGO Managed Switches (CVE-2026-3587)

⚠️ An unauthenticated remote attacker can trigger a hidden CLI function in WAGO industrial managed switches to escape the restricted interface and gain full control of the device. The vulnerability is tracked as CVE-2026-3587 and classified under CWE-912. CISA rates the issue CRITICAL with a CVSS v3.1 base score of 10.0. Operators should install vendor fixed firmware or, as an interim measure, disable SSH and Telnet.
read more →

OpenCode OC Messaging & USSD Gateway Vulnerability

⚠️ OpenCode Systems' OC Messaging and USSD Gateway version 6.32.2 contain an improper access control vulnerability (CVE-2025-70614, CVSS 3.1 Base Score 8.1) that can allow an authenticated low-privileged user to access SMS messages outside their tenant by providing a crafted company/tenant identifier. OpenCode released version 6.33.11 on 2026-01-06 to remediate the issue. Administrators should upgrade affected systems to 6.33.11 or later and limit network exposure of messaging gateways.
read more →