< ciso
brief />
Tag Banner

All news with #vulnerability disclosure tag

573 articles · page 4 of 29

HTTP/2 Bomb: New Remote DoS Impacting Major Servers

🛡️ Cybersecurity researchers disclosed a remote denial-of-service exploit called HTTP/2 Bomb that affects major web servers including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The flaw leverages HPACK header compression combined with a zero-byte flow-control hold to amplify tiny on-wire headers into large server allocations. Vendors have released patches for some products and provided configuration mitigations for others while several popular implementations remain unpatched.
read more →

Critical Kirki Flaw Lets Attackers Hijack WordPress

🔒 Defiant's Wordfence observed active exploitation of a critical privilege escalation bug (CVE-2026-8206) in the Kirki - Freeform Page Builder plugin, used on over 500,000 sites. The flaw, introduced in version 6.0.0 and present through 6.0.6, exposes a password reset endpoint that sends reset links to attacker-supplied emails, enabling account takeover. Vendor patched the issue in v6.0.7; site owners must update or disable the plugin immediately.
read more →

Critical HP Poly VoIP Flaw Enables Remote Root Access

🔒 HP has released patches for a critical buffer overflow in multiple IP conference phones in its Poly Voice line that can allow unauthenticated attackers to gain root on affected devices. The issue, tracked as CVE-2026-0826 and rated 9.2 CVSS, stems from SDP parsing when the ICE feature is enabled; administrators are advised to disable ICE if not needed. Rapid7 researchers released a Metasploit exploit demonstrating the vulnerability, and HP has issued UCS updates to remediate the affected VVX and Trio models.
read more →

Microsoft threatens researcher after Windows exploits

🔒 An anonymous researcher known as “Nightmare Eclipse” has published several significant exploits targeting Microsoft Windows, including a vulnerability that defeats BitLocker. Microsoft has responded with threats of legal action, prompting public debate and recriminations between the company and security community. The situation has raised concerns about disclosure practices, researcher protections, and the balance between security research and corporate legal responses.
read more →

Oracle launches monthly Critical Security Patch Update

🔒 Oracle has issued its first monthly Critical Security Patch Update (CSPU), addressing 35 vulnerabilities that require more urgent attention than quarterly releases. The batch includes 11 critical, 18 high, and 6 medium severity flaws, with several affecting Oracle REST Data Services, Oracle E-Business Suite, and Oracle Payments. Some older supply-chain bugs have public proof-of-concept exploits, increasing patching urgency.
read more →

Critical RCE in Flowise's Custom MCP Tool Revealed

🛡️ Obsidian Security disclosed a critical RCE in the open-source AI workflow platform Flowise (CVE-2026-40933), enabling server takeover when a logged-in user imports a malicious chatflow. Self-hosted deployments are vulnerable by default; Flowise Cloud is not affected. The flaw stems from the Custom MCP tool launching user-supplied commands via stdio without sandboxing, and Flowise's input-validation patch can be bypassed.
read more →

Critical WP Maps Pro Flaw Enables Site Takeover

🛡️ WP Maps Pro, a popular WordPress plugin, contains a critical privilege escalation vulnerability (CVE-2026-8732) that allows unauthenticated attackers to create administrator accounts and take over sites. The flaw affects all versions up to 6.1.0 and was fixed in 6.1.1. Security researcher David Brown reported the issue, and Wordfence has observed active exploitation attempts. Site owners must update immediately to mitigate ongoing attacks.
read more →

New CIFSwitch Linux flaw grants local root access

🛡️ A local privilege escalation named CIFSwitch in the Linux kernel allows forging of CIFS authentication key descriptions and abuse of the kernel key request flow, enabling root privilege escalation. The vulnerability affects kernels paired with vulnerable cifs-utils (6.14+) on several major distributions when user namespaces and permissive SELinux/AppArmor settings are present. The attacker can trigger a privileged cifs.upcall to trust attacker-controlled fields, force a namespace switch, and load a malicious NSS module before privilege drop. A kernel patch validating cifs.spnego request origins is available upstream; mitigations include disabling the CIFS module, removing cifs-utils, and disabling unprivileged user namespaces.
read more →

Microsoft and researcher clash over disclosure rules

🛡️ Microsoft and a prominent researcher publicly traded barbs after the researcher, going by Nightmare Eclipse, published vulnerabilities he said were ignored; Microsoft countered that those disclosures were irresponsible and increased risk. The exchange included personal accusations, account deletions, and threats, prompting discussion within the security community about disclosure practices. Senior Microsoft staff signaled a review of processes while defenders on both sides highlighted valid concerns about communication, prioritization, and trust.
read more →

Notepad++ XML flaws allow local arbitrary code execution

🔒 Two High-severity vulnerabilities in Notepad++ (CVE-2026-48778 and CVE-2026-48800, CVSS 7.8) let local attackers run arbitrary commands by tampering with the editor’s XML configuration files. Both issues affected versions up to 8.9.6 and were patched in 8.9.6.1 along with a lower-severity crash bug (CVE-2026-48770). The flaws stem from unvalidated values in shortcuts.xml and config.xml, enabling persistence and stealthy execution if an attacker can write to a user’s AppData or supply a poisoned settings folder.
read more →

Critical Gogs RCE via Malicious Rebase Branch Name

🔒 A critical Remote Code Execution (RCE) flaw in Gogs, a self-hosted Git service, enables any authenticated user to execute arbitrary commands by creating a pull request with a malicious branch name that injects the --exec flag into git rebase. Rated 9.4 by Rapid7, the bug requires only a registered account on default instances and can be abused without admin privileges or other user interaction. Rapid7 published an exploit module and advises restricting registration and repository creation and auditing rebase merge settings.
read more →

Microsoft Rebukes Public Zero‑Day Disclosures

🛡️ Microsoft has urged the security research community to follow Coordinated Vulnerability Disclosure (CVD) after a researcher publicly released details and exploit code for multiple Windows zero‑days, including issues in Defender and BitLocker. The company said several disclosed flaws were not shared with Microsoft before publication, exposing customers to unnecessary risk and prompting security teams to work continuously on protections and updates. Some of the disclosed flaws — BlueHammer, RedSun and UnDefend — are reported to be actively exploited in the wild, and vendor actions have included takedowns of the researcher’s GitHub account.
read more →

Critical unauthenticated password reset in KMW cameras

🔒 The advisory details a critical vulnerability in KMW CCTV Security Cameras that allows an unauthenticated attacker to reset the administrator password to a known value, granting full access to camera feeds and settings. Vendor firmware (KM-IP421) is available to address the issue, though it may require re-authorizing cloud P2P connections. CISA urges network segmentation, restricted internet access, regular firmware updates, and other defensive measures to reduce exposure.
read more →

DICOM Heap Overflows: Orthanc, pydicom, GDCM Risks

🔍 This white paper examines DICOM parsing risks and demonstrates how malformed medical images can lead to heap overflow vulnerabilities during ingestion. It outlines a concrete case where an Orthanc server is targeted during image upload, producing an out-of-bounds write. The analysis highlights interactions between pydicom, GDCM, and Orthanc, and emphasizes the importance of robust parsing and hardening in PACS environments.
read more →

Starlette flaw enables auth bypass in FastAPI stacks

🔒 A single malformed character in a web request can allow unauthenticated attackers to bypass access controls in applications built on Starlette, the Python framework behind FastAPI. X41 D‑Sec disclosed the vulnerability (CVE‑2026‑48710) after finding it in a source‑code audit; Starlette’s maintainer released a patch via GitHub. The flaw stems from inconsistent parsing of the Host header when rebuilding request addresses, causing middleware to see a different path than the router. Researchers warn many model‑serving and AI infrastructure components are exposed unless a compliant reverse proxy rejects malformed Host headers.
read more →

Four MediaInfoLib Heap Buffer Overflows Patched

🛡️ Cisco Talos disclosed four heap-based buffer overflow vulnerabilities in the MediaArea MediaInfoLib (v26.01) library, all of which can lead to arbitrary code execution when processing a malicious media file. The issues were found by Dimitrios Tatsis of Talos and have been patched by the vendor per Cisco’s third-party disclosure policy. Users can obtain Snort rules to detect exploitation and consult Talos for vulnerability advisories. Administrators should update MediaInfoLib to the vendor-released fixed versions promptly.
read more →

Gitea flaw lets unauthenticated users pull private images

🔒 Researchers disclosed a vulnerability in Gitea that allowed unauthenticated remote attackers to pull private container images from affected deployments without credentials. Tracked as CVE-2026-27771, the issue affects all Gitea versions prior to 1.26.2, which contains the fix. Noscope estimates more than 30,000 deployments globally may be impacted, spanning healthcare, aerospace, retail, and ISPs. Users are advised to update to 1.26.2 or enable REQUIRE_SIGNIN_VIEW as a temporary mitigation.
read more →

ABB Camera Connect VLC Component Vulnerabilities

🔔 ABB disclosed that several vulnerabilities exist in the VLC media player component delivered with older ABB Ability Camera Connect installers (≤ 1.5.0.14). An update (Camera Connect 1.5.0.15) and standalone VLC updates are available to remediate multiple memory-corruption and path-related issues. ABB notes that most deployments are air-gapped and isolated, which significantly reduces exposure and remote exploitability, but recommends applying updates at the earliest convenience.
read more →

Critical Ghost CMS SQLi Exploited in ClickFix Campaign

🛡️ Researchers uncovered a large-scale campaign exploiting a critical SQL injection (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript that triggers ClickFix attack flows. More than 700 domains — including university portals, media outlets, fintech firms, and personal blogs — were affected. The flaw impacts Ghost 3.24.0 through 6.19.0 and allows unauthenticated actors to exfiltrate admin API keys. Administrators are urged to upgrade to 6.19.1+, rotate keys, and scan sites for injected scripts.
read more →

Chromium flaw allows persistent Service Worker abuse

🛡️ Chromium contains an unpatched vulnerability that lets attackers keep a Service Worker alive across restarts and execute JavaScript persistently. Reported by researcher Lyra Rebane, the bug abuses the Background Fetch API and a race that creates and aborts background fetches to evade UI visibility. Although some UI fixes were applied in 2023, the deeper issue—preventing indefinite Service Worker lifetimes—remains unresolved and can enable tracking, crypto mining, and browser-based bots.
read more →