All news with #vulnerability disclosure tag

⚠️ Ox Security disclosed high- to critical-severity vulnerabilities in widely used VSCode extensions that could enable local file theft and remote code execution. Affected extensions include Live Server (CVE-2025-65717), Code Runner (CVE-2025-65715), Markdown Preview Enhanced (CVE-2025-65716), and a one-click XSS in Microsoft Live Preview (pre-0.4.16). The researchers say they attempted disclosure from June 2025 but received no responses from maintainers. Users are advised to avoid running localhost servers, opening untrusted HTML, pasting untrusted settings, and to remove unnecessary extensions.

⚠ A stack-based buffer overflow has been identified in Delta Electronics ASDA-Soft when parsing .par files, allowing an attacker to write data past a stack buffer and corrupt a structured exception handler (SEH). The issue affects versions <= 7.2.0.0 (CVE-2026-1361) and is assigned a CVSS v3.1 base score of 7.8 (High). Delta released fixed ASDA-Soft version 7.2.2.0 and published advisory Delta-PCSA-2026-00003; CISA reports no known public exploitation and notes the vulnerability is not remotely exploitable.

🔒 CISA reports a critical vulnerability (CVE-2026-1670) in multiple Honeywell CCTV products that exposes an unauthenticated API endpoint allowing an attacker to change the forgot password recovery email. Successful exploitation can enable account takeover and unauthorized access to camera feeds, and the issue is scored CVSS v3.1 9.8 (CRITICAL). Affected firmware includes several 2MP and 25M IPC/PTZ variants. Honeywell recommends contacting support for patches; CISA urges reducing Internet exposure, segmenting networks, and using secure remote access.

🔒 A new study from ETH Zurich and Università della Svizzera italiana shows that cloud-based password managers, including Bitwarden, Dashlane, and LastPass, can be vulnerable to password recovery and integrity attacks under a malicious-server model. Researchers identified 25 distinct attack variants ranging from metadata leakage and item swapping to full organizational vault compromise. Vendors have issued patches or mitigation roadmaps and say there is no evidence of in-the-wild exploitation.

🔐 A team of researchers from ETH Zurich and USI disclosed 27 successful attack scenarios against cloud-based password managers from Bitwarden, LastPass, Dashlane and 1Password, challenging vendors' zero-knowledge claims. The attacks exploit design and cryptographic flaws — including unauthenticated public keys, missing ciphertext integrity and KDF downgrades — enabling vault compromise, password recovery and mass takeover. Vendors report remediation is underway; users should verify fixes and follow advisories.

⚠️ Developers patched a nearly 30-year-old heap buffer overflow in the libpng image library—fixed in libpng 1.6.55—that can crash applications processing crafted PNG files and, with careful heap grooming, enable information disclosure or remote code execution. The flaw exists in the png_set_quantize function when called without a histogram and with oversized palettes. A proof-of-concept is public; users and distributors should upgrade promptly.

🔒 A critical vulnerability in the WPvivid Backup & Migration WordPress plugin (CVE-2026-1357, CVSS 9.8) allowed unauthenticated attackers to upload arbitrary files and achieve remote code execution. The flaw affected all versions up to 0.9.123 but, according to Defiant, only sites with the non-default receive backup from another site option enabled are critically exposed. WPVividPlugins released a patch in v0.9.124 on Jan 28; administrators should upgrade immediately.

⚠ Siemens has disclosed a stored cross-site scripting (XSS) vulnerability in Polarion V2404 and V2410 that permits authenticated remote attackers to inject JavaScript into document titles, which can execute in other users' sessions. The flaw is tracked as CVE-2025-40587 and has a CVSS v3.1 base score of 7.6 (High). Siemens advises updating to Polarion V2404.5 or later and V2410.2 or later to remediate the issue. Administrators should prioritize patching, reduce network exposure, and follow Siemens' industrial security guidance.

⚠️ A PS/IGES Parasolid translator component in Siemens Solid Edge contains an out-of-bounds read when parsing specially crafted IGS files, which can crash the application or permit arbitrary code execution in the context of the running process. Siemens has released a patch; administrators should update to V226.00 Update 03 or later. The issue is tracked as CVE-2025-40936 with a CVSSv3.1 base score of 7.8 (High). Apply the vendor update and follow industrial security best practices to limit exposure.

🔒 Siemens reports a heap-based buffer overflow in the WIBU CodeMeter Runtime used by Desigo CC and SENTRON Powermanager products. The flaw (CVE-2023-38545) occurs during the SOCKS5 proxy handshake when curl mishandles hostnames longer than 255 bytes and can enable code execution in the context of the affected process. Siemens provides instructions to update the CodeMeter Runtime component and advises upgrading affected systems to V8.0 QU2 or later; follow the vendor's patching guidance promptly.

🔍 Cybersecurity researchers at Koi Security disclosed the first known malicious Microsoft Outlook add-in, codenamed AgreeToSteal. The attacker claimed an abandoned add-in's domain and used the manifest URL (outlook-one.vercel[.]app) to serve a fake Microsoft sign-in page, harvesting more than 4,000 credentials and exfiltrating them via the Telegram Bot API. The affected add-in, AgreeTo, a calendar/availability tool last updated in December 2022, had requested ReadWriteItem permissions that could have allowed covert mailbox access. Koi recommends domain verification, re-review triggers, delisting stale add-ins, and visible install counts to reduce similar supply-chain abuse.

🔒 OpenClaw (formerly Clawdbot/Moltbot) surged in popularity in January 2026 but contains numerous critical vulnerabilities that place local secrets and system integrity at risk. Researchers found many publicly accessible instances running without authentication, allowing theft of API keys, chat histories, and remote code execution. The agent’s default trust of localhost, an unmoderated skills catalog, and prompt-injection weaknesses enable credential theft and malicious plugin execution. The article recommends isolating deployments, using burner accounts and allowlists, and restricting OpenClaw to dedicated experimental hosts.

⚠️ CISA added six Microsoft-related vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on February 10, 2026, citing evidence of active exploitation. The entries include CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, and CVE-2026-21533, affecting Windows, MSHTML, and Office components. Federal agencies must remediate KEV entries under BOD 22-01, and CISA urges all organizations to prioritize patching to reduce exposure.

⚠️ AVEVA reported that PI to CONNECT Agent (<=v2.4.2520) contains a vulnerability that can record sensitive proxy connection details in event logs. An attacker with local Event Log Reader (S-1-5-32-573) privileges could extract proxy URLs and credentials from those logs and gain unauthorized access to the proxy server. The issue is not remotely exploitable; the vendor’s fix is v2.5.2790 or later. Users should review and sanitize logs, rotate proxy credentials, avoid plain-text passwords in proxy URLs, and restrict Event Log Reader privileges.

⚠️ CISA reports two critical authentication vulnerabilities in ZLAN Information Technology Co. ZLAN5143D v1.600. CVE-2026-25084 allows authentication bypass via direct access to internal URLs, while CVE-2026-24789 exposes an unprotected API that enables remote password changes without credentials. Both are scored CVSS 3.1 9.8. CISA notes the vendor did not respond to coordination; users should minimize network exposure, restrict internet access to devices, contact the vendor, and keep systems updated.

⚠️BeyondTrust has issued an urgent advisory for a critical pre-authentication remote code execution vulnerability tracked as CVE-2026-1731 affecting Remote Support (≤25.3.1) and Privileged Remote Access (≤24.3.4). The flaw is an OS command injection discovered by Harsh Jaiswal and the Hacktron AI team and can be exploited by unauthenticated attackers without user interaction. BeyondTrust says cloud systems were secured by February 2, 2026 and advises on‑premises customers to upgrade to RS 25.3.2 or PRA 25.1.1 immediately.

🔎 Claude Opus 4.6 markedly improves automated vulnerability discovery, finding high-severity bugs faster and without task-specific tooling. Unlike traditional fuzzers, which depend on massive random inputs, Opus 4.6 reads and reasons about code like a human researcher—spotting patterns, past fixes, and precise inputs that trigger failures. Early tests show it uncovered long-standing zero-days in projects previously subject to extensive fuzzing.

🔒 Security researchers at Upwind disclosed six vulnerabilities in n8n, four rated critical (CVSS 9.4), that enable remote code execution, command injection, arbitrary file access and cross-site scripting. The flaws target how n8n sandboxes user processes and protect the host, making multi-user and shared deployments especially dangerous. Administrators and developers should update to the latest release, audit extensions, and treat web-exposed instances with heightened caution.

🔒 Substack has confirmed a security incident in which an unauthorized third party accessed limited user information, including email addresses, phone numbers and other internal metadata. CEO Chris Best said the company detected evidence of the issue on February 3 and notified some users on February 5, saying the data collection occurred in October 2025. Substack stated that no financial data or passwords were accessed, that the vulnerability has been fixed, and that a full investigation is underway.

⚠️Flickr says a vulnerability in a third‑party email service may have exposed member names, email addresses, IP addresses, general location data, Flickr usernames, account types and records of platform activity. The company says it shut off access to the affected system within hours on February 5, 2026, and that passwords and payment card data were not compromised. Flickr urged affected users to review account settings, remain vigilant for phishing, and change reused passwords while it investigates and strengthens monitoring of third‑party providers.