All news with #vulnerability disclosure tag

⚠️ Thirteen critical vulnerabilities have been disclosed in the vm2 JavaScript sandbox, including a full sandbox escape (CVE-2026-26956) that can allow attacker-controlled code to execute host commands under specific Node.js 25/WebAssembly conditions. Another high-risk issue (CVE-2026-44007) involves NodeVM nesting interacting with the legacy module resolver and was patched in 3.11.1. Developers should upgrade to vm2 3.11.2 immediately and consider interim mitigations such as avoiding Node 25 runtimes or disabling WebAssembly for untrusted sandboxes.

🔒 A critical WebSocket vulnerability in Cline's Kanban server (CVSS 9.7) allows any webpage a developer visits to silently exfiltrate workspace data, inject terminal commands and terminate agent sessions. Disclosed by Oasis Security on May 7, it affects the Kanban npm package v0.1.59 and stems from missing origin validation and authentication on three local WebSocket endpoints. Updating to v0.1.66 and disabling the default bypass permissions flag are recommended mitigations.

🔒 Cloudflare assessed and mitigated the Linux local privilege escalation named Copy Fail (CVE-2026-31431) following public disclosure on 2026-04-29. Our behavioral detections flagged the exploit chain within minutes during validation, and threat hunting across a 48-hour window found no evidence of compromise. We deployed an eBPF LSM allow-list (bpf-lsm) to block AF_ALG binds for non-allow-listed binaries, built and staged patched LTS kernels, and completed fleet protection via controlled reboots with no customer impact.

🔔 CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-6973, an Ivanti Endpoint Manager Mobile (EPMM) improper input validation flaw. CISA cites evidence of active exploitation and emphasizes the significant risk this class of vulnerability poses to the federal enterprise. The agency reminds FCEB agencies of remediation requirements under BOD 22-01 and strongly urges all organizations to prioritize timely fixes.

⚠️The MAXHUB Pivot client (versions prior to v1.36.2) contains a vulnerability (CVE-2026-6411) that can expose tenant email addresses and related metadata in cleartext due to a hardcoded AES key embedded in the application. An attacker who obtains the encrypted data can decrypt it, and the product's MQTT enrollment mechanism may be abused to register multiple unauthorized devices, potentially causing denial of service. MAXHUB released v1.36.2 via OTA; update immediately.

⚠️ ThreatsDay reports a mix of blunt‑force commodity attacks and high‑impact technical flaws this week. A new MicroStealer campaign is targeting education and telecom organizations, exfiltrating browser credentials, active sessions and wallets via Discord webhooks and attacker servers. Researchers disclosed critical ICS and MOVEit vulnerabilities while analysis shows the VECT 2.0 ransomware encryptor is broken. Browsers and AI are accelerating risk vectors — patch and verify installs urgently.

⚠️ Multiple critical vulnerabilities have been disclosed in the vm2 Node.js library that allow untrusted code to break out of sandboxes and execute arbitrary host commands. The defects include numerous sandbox escapes, code injection vectors, and an allowlist bypass, with several issues rated CVSS 9.8–10.0. Affected releases span multiple 3.9.x–3.11.x builds; maintainers recommend upgrading to v3.11.2 and auditing any vm2-based sandbox deployments. The project lead has acknowledged that further bypasses are likely as research continues.

🚨 A critical vulnerability in the Node.js sandbox library vm2 (CVE-2026-26956) can be exploited to escape the sandbox and execute arbitrary code on the host. The issue has been confirmed in vm2 3.10.4 on Node.js 25 (tested on 25.6.1) when WebAssembly exception handling and JSTag support are enabled. A proof-of-concept exploit is public; users should upgrade to vm2 3.10.5 or later (latest 3.11.2) immediately.

⚠️ CISA has added CVE-2026-0300, an Palo Alto Networks PAN-OS out-of-bounds write vulnerability, to the KEV Catalog after evidence of active exploitation. BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate cataloged vulnerabilities by their due dates. Although the directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management. CISA will continue to update the catalog when vulnerabilities meet its criteria.

⚠️ Two independent research teams disclosed new Rowhammer-style attacks against NVIDIA Ampere GPUs that induce GDDR bitflips to gain arbitrary read/write access to host memory, enabling full system compromise when IOMMU is disabled by default in many BIOS settings. The proofs of concept — GDDRHammer and GeForge — manipulate GPU page tables and page directories to escalate privileges and, in demonstrations, open root shells on affected machines. A subsequent variant was shown to succeed even with IOMMU enabled; tested cards include RTX 3060, RTX A6000, and RTX 6000.

⚠️ Palo Alto Networks has warned of a critical buffer overflow (CVE-2026-0300) in the User-ID Authentication Portal component of PAN-OS, allowing unauthenticated remote code execution as root. The flaw carries a CVSS of 9.3 when the portal is internet-accessible (8.7 for internal-only access). Palo Alto reports limited in-the-wild exploitation targeting publicly accessible portals; fixes are scheduled to begin May 13, 2026. Administrators should restrict or disable the portal until patches are applied.

⚠ Apache Software Foundation released updates to address CVE-2026-23918, a high-severity (CVSS 8.8) double-free bug in mod_http2 that can cause denial-of-service and potentially remote code execution. The flaw impacts Apache HTTP Server 2.4.66 and is fixed in 2.4.67. Researchers provided an x86_64 proof-of-concept and warned the RCE path is practical on systems using APR with the mmap allocator. Administrators should upgrade or mitigate by disabling mod_http2 or using the prefork MPM until patched.

⚠️ Hitachi Energy reported a directory traversal vulnerability (CVE-2018-1002208) affecting PCM600 product lines, including legacy 2.11 and several 3.x releases. The flaw resides in an affected SharpZipLib component (pre-1.0 RC1) and allows crafted ZIP archives to write files outside intended extraction directories, creating an integrity risk. Hitachi Energy recommends migrating to maintained 3.x builds, following vendor guidance and immediate mitigations such as network isolation, removal of default credentials, and secure remote access while awaiting a planned 3.1 SP4 update.

🔒 ABB has released an update for Automation Studio to address an improper certificate validation vulnerability affecting the OPC-UA and ANSL over TLS clients (CVE-2025-11043). An attacker with network access who can intercept or redirect communications could present forged certificates that pass validation, enabling interception or manipulation of data. The issue is fixed in Automation Studio 6.5; users should apply the update promptly and follow recommended network segmentation and secure remote-access practices. CISA rates this flaw as High (CVSS 7.4) and recorded no reports of active exploitation at publication.

🔍 Researchers using AI-assisted analysis at Wiz's zeroday.cloud event disclosed multiple high-severity memory-safety flaws in PostgreSQL and MariaDB. Two PostgreSQL issues — including a heap overflow in the pgcrypto extension — date back more than 20 years and can enable remote code execution when fed attacker-controlled input. MariaDB's JSON schema validator also contains a heap overflow reachable by any authenticated SQL session, which under certain memory conditions can be escalated to code execution. Patches are available and maintainers strongly urge immediate upgrades.

🔒 Researchers observed exploitation of a critical unauthenticated RCE (CVE-2026-22679) in Weaver E-cology 10.0 beginning in mid-March, days after the vendor released a patch and before public disclosure. Attackers abused an exposed debug API that allowed user-supplied parameters to reach backend RPC handlers and be executed as system commands, performing discovery and attempting PowerShell-based payloads and an MSI deployment. The vendor's update (build 20260312) removes the debug endpoint entirely, and administrators are urged to apply the update immediately.

🚨 Progress warns customers to patch a critical authentication bypass in MOVEit Automation tracked as CVE-2026-4670, affecting versions before 2025.1.5, 2025.0.9, and 2024.1.8. Remote attackers can exploit the flaw without privileges in low-complexity, no-interaction attacks. Progress says upgrading with the full installer is the only remediation and that an outage will occur during the upgrade. The vendor also released a fix for a high-severity privilege escalation, CVE-2026-5174.

⚠️ The April 2026 KB5083769 security update is causing third‑party backup applications to fail on Windows 11 (24H2 and 25H2) by triggering a VSS snapshot timeout. Vendors including Acronis, Macrium, NinjaOne and UrBackup have reported backup operations aborting with VSS timeout errors. Acronis has published guidance confirming failures on Pro and Home editions and recommends uninstalling KB5083769 and pausing updates as a temporary workaround.

🔒 A high-severity authentication bypass (CVE-2025-14510, CVSS 8.1) affects ABB Ability OPTIMAX systems that use Azure Active Directory Single Sign-On, potentially permitting an attacker to bypass user authentication remotely. Affected builds include all 6.1 and 6.2 releases and 6.3/6.4 builds prior to 6.3.1-251120 and 6.4.1-251120. ABB has published fixes (for example, 6.3.1-251120); administrators should follow the ABB PSIRT advisory, apply available updates, and implement network segmentation and secure remote access controls while performing impact analysis prior to changes.

🔒 CISA published an advisory on 2026-04-30 describing multiple authentication-related vulnerabilities in ABB AWIN Gateways that permit unauthenticated queries to disclose system configuration and, in one case, remotely reboot devices. The issues include an authentication bypass via capture-replay and missing authentication for critical functions. Affected firmware includes AWIN GW100 rev.2 (2.0-0, 2.0-1) and AWIN GW120 (1.2-0, 1.2-1); ABB released fixes (FW 2.1-0 and FW 2.0-0, Product IDs 3BNP102988R1 and 3BNP103003R1) and PSIRT advisory 4JNO000329. CISA recommends isolating devices, removing internet exposure, using secure remote access (for example, up‑to‑date VPNs), and conducting impact analysis before deploying mitigations.