All news with #vulnerability disclosure tag

🚨 Cybersecurity researchers have identified three prompt-injection vulnerabilities in Anthropic's reference Git server implementation, mcp-server-git, affecting default installations and all releases before 8 December 2025. The flaws let attackers manipulate what an AI assistant reads—such as a README, issue text or a webpage—to cause unintended actions without credentials or system access. Exploits can enable code execution when combined with a filesystem MCP server, delete arbitrary files, or load sensitive files into a model's context. Anthropic accepted the reports in September and issued patches in December 2025; affected users are urged to update immediately.

🔒 Cloudflare patched a vulnerability in its ACME HTTP-01 validation logic that could allow requests to bypass WAF protections and reach customer origin servers. Discovered by FearsOff in October 2025, the flaw arose when edge logic disabled WAF handling for requests matching an ACME challenge token without confirming the token belonged to the requested hostname. Cloudflare said it found no evidence of exploitation and implemented a code change on October 27, 2025 to only disable WAF features when the token is a valid challenge for that specific hostname.

🔐The new GCVE database at db.gcve.eu is a free, publicly accessible repository designed to simplify vulnerability reporting and management across Europe. It aggregates normalized data from more than 25 public sources and uses the GCVE Numbering Authority (GNA) model to enable decentralized assignment of identifiers. An open API allows seamless integration into compliance and risk-management tools for security teams, vendors, researchers, CSIRTs, and open-source developers.

⚠️ XM Cyber disclosed privilege-escalation flaws in Google’s Vertex AI that let low‑privileged users manipulate Google-managed Service Agents to gain elevated project-wide permissions. Google told XM Cyber this behavior is "working as intended." Security experts warn that managed service identities and insecure defaults create invisible, structural risks. CISOs are urged to audit service identities, reduce authentication scope, and monitor agent activity like privileged users.

🔒 Researchers at Wiz found a subtle misconfiguration in AWS CodeBuild build-trigger handling that could let unauthenticated actors infiltrate build environments and leak credentials. A two-character mistake in an unanchored regex filter allowed threat actor ID bypasses, putting public repositories such as the AWS JavaScript SDK at risk. AWS patched the issue within 48 hours, hardening CodeBuild and auditing public build logs. Wiz recommends anchored regexes, fine-grained PATs, and stricter build gates to reduce exposure.

⚠️ A critical CodeBuild misconfiguration, dubbed CodeBreach by Wiz, could have allowed attackers to take over several AWS-managed GitHub repositories, including aws-sdk-js-v3, by bypassing webhook actor ID filters. The flaw—missing ^ and $ anchors in regex filters—enabled unauthorized build triggers and potential leakage of privileged GitHub tokens. AWS fixed the issue in September 2025, rotated credentials, implemented mitigations, and reported no evidence of exploitation.

⚠️ Patchstack reports a maximum-severity vulnerability (CVE-2026-23550, CVSS 10.0) in the Modular DS WordPress plugin affecting all versions up to and including 2.5.1. The flaw permits unauthenticated privilege escalation via routes under /api/modular-connector/ when the "direct request" mode with an "origin=mo" parameter is used, bypassing authentication. Exploitation was observed beginning Jan 13, 2026, and the issue is patched in 2.5.2; administrators should update immediately.

⚠️ A critical CodeBuild misconfiguration discovered by Wiz Research allowed untrusted pull requests to run privileged builds, enabling potential injection of malicious code into core AWS repositories—including the AWS SDK for JavaScript that underpins the AWS Console. The flaw was an unanchored regex in an ACTOR_ID webhook filter that let attacker-controlled GitHub IDs bypass restrictions and access credentials stored in build memory. AWS patched the issue within 48 hours, revoked exposed credentials, added protections to block memory-based credential theft and introduced a Pull Request Comment Approval build gate. Wiz advises blocking untrusted PRs, using fine‑grained tokens and anchoring webhook regexes.

⚠️ Researchers demonstrated remote control of WHILL wheelchairs via unsecured Bluetooth connections. CISA has issued an advisory noting the devices did not enforce pairing authentication, allowing attackers within Bluetooth range to pair and control movement, override speed restrictions, and alter configuration profiles without credentials or user interaction. Users and operators should follow the advisory, apply vendor updates, and disable Bluetooth when not required.

🔒 Schneider Electric disclosed vulnerabilities in EcoStruxure Power Build Rapsody that can cause memory corruption and buffer overflows when importing project (SSD) files. Two tracked issues — CVE-2025-13844 (double free, CVSS 5.3) and CVE-2025-13845 (use-after-free, CVSS 7.8) — may allow local attackers to execute code if a user opens a malicious file. Schneider released regional fixed builds; users should install the appropriate update, restart services, and follow recommended mitigations if patching is delayed.

⚠️ Festo SE & Co. KG and CISA report that numerous Festo firmware products contain undocumented remote-accessible functions and missing port/protocol documentation, tracked as CVE-2022-3270 with a CVSS v3.1 base score of 9.8. An unauthenticated remote attacker could leverage these undocumented protocol functions to cause full loss of confidentiality, integrity, and availability. Festo intends to address the issue by updating technical user manuals in the next product versions; operators should meanwhile reduce network exposure, enforce firewalls, and use VPNs and encrypted links.

🔒 Siemens and CISA report an authorization bypass in multiple Siemens Industrial Edge and related devices (CVE-2025-40805) that can allow an unauthenticated remote attacker who knows a legitimate user's identity to impersonate that user. Siemens has released firmware and software updates for many affected models and is preparing additional fixes. Where updates are not yet available, Siemens and CISA advise network isolation, minimizing internet exposure, use of secure remote access (VPNs), and other compensating controls to limit risk.

⚠️ Siemens reports a temporary denial-of-service vulnerability in RUGGEDCOM ROS devices that can be triggered via the TLS certificate upload process. Authenticated remote attackers may upload malformed certificate data to cause a crash and an automatic reboot (CVE-2025-40935, CWE-20), producing a brief availability outage. Siemens has published fixed firmware; update affected systems to V5.10.1 or later. CISA advises isolating control networks, minimizing internet exposure, using secure remote access, and performing impact analysis before applying mitigations.

🔒 Microsoft released updates addressing over 100 CVEs on the first Patch Tuesday of 2026, including three zero-day vulnerabilities. CVE-2026-20805 is an actively exploited information-disclosure flaw in the Desktop Window Manager that can undermine ASLR; CVE-2026-21265 concerns a secure-boot certificate-expiration bypass affecting many devices; CVE-2023-31096 is an elevation-of-privilege in legacy Agere modem drivers that Microsoft is removing. Administrators should prioritize patching, review firmware and UEFI certificates, and audit hardware where updates may require manual acceptance.

🔒 Microsoft released its first security update of 2026 addressing 114 vulnerabilities across Windows, including one actively exploited in the wild. The set includes eight Critical and 106 Important flaws, spanning privilege escalation, information disclosure, and remote code execution issues. Administrators are urged to prioritize the exploited CVE-2026-20805 and VBS-related fixes, and to follow guidance for Secure Boot certificate updates to avoid disruption.

⚠️ Node.js has released critical updates to address a bug that can force the runtime to exit rather than throw a catchable error when a stack overflow occurs with async_hooks enabled. The defect causes Node.js to terminate with exit code 7, creating a potential Denial-of-Service vector for applications whose recursion is controlled by unsanitized input. A fix is available in Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0; older, EOL releases remain vulnerable. Users and maintainers are urged to update promptly.

🔴 On Dec. 19, 2025, MongoDB disclosed MongoBleed (CVE-2025-14847), a critical unauthenticated memory-disclosure in MongoDB Server stemming from handling of zlib-compressed wire messages. An attacker with network access to TCP/27017 can cause the server to return heap memory that may include cleartext credentials, API keys, session tokens, and PII. A public PoC and active exploitation were observed; MongoDB Atlas was auto-patched while self-hosted deployments require immediate manual updates and mitigations such as disabling zlib compression and restricting inbound access.

🔒 Multiple current and former Target employees confirmed that source code and documentation shared by a threat actor match the company's internal systems. The leaked sample contains real system names (e.g., BigRED, TAP [Provisioning]), proprietary codenames and tooling references, including Vela-based CI/CD and JFrog Artifactory. Target enacted an "accelerated" change restricting access to its on-prem Git server to the corporate network and VPN after the disclosure.

🔔 CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-20805, a Microsoft Windows information disclosure issue identified as being actively exploited. This vulnerability type is a common attack vector and presents significant risks to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV entries by prescribed due dates, and CISA strongly urges all organizations to prioritize timely remediation. CISA will continue to update the KEV Catalog as new exploited CVEs meet its criteria.

🔒 ServiceNow has released fixes for a critical flaw in its ServiceNow AI Platform that could allow an unauthenticated actor to impersonate other users and perform arbitrary actions. Tracked as CVE-2025-12420 with a CVSS score of 9.3, the issue was addressed on October 30, 2025 and deployed to the majority of hosted instances. Patches were also shared with partners and self-hosted customers; administrators are advised to apply updates promptly to mitigate risk.