< ciso
brief />
Tag Banner

All news with #vulnerability disclosure tag

573 articles · page 9 of 29

Microsoft issues out-of-band patch for ASP.NET Core flaw

🔒 Microsoft released an out-of-band fix after an April 14 .NET update (10.0.6) introduced a critical regression in the ASP.NET Core Data Protection NuGet package (CVE-2026-40372, CVSS 9.1). A bug in the ManagedAuthenticatedEncryptor caused HMAC validation tags to be computed with an incorrect offset, allowing forged cookies and tokens to be treated as valid. Developers should upgrade to 10.0.7, rebuild embedded apps (including Docker images), expire affected cookies and tokens, and rotate protection keys to remove potential forgeries.
read more →

Amazon Corretto April 2026 Quarterly Security Updates

🔒 Amazon announced its April 2026 quarterly security and critical updates for Amazon Corretto, delivering new builds for LTS and Feature Release OpenJDK distributions. Releases available: Corretto 26.0.1, 25.0.3, 21.0.11, 17.0.19, 11.0.31, and 8u492. This is the final Corretto 8 release that includes JavaFX binaries; JavaFX will be removed starting July 2026. Downloads and repo configuration instructions are provided on the Corretto home page to help administrators apply the updates.
read more →

CISA Adds One Vulnerability to KEV Catalog After Exploitation

⚠ CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-33825, an Microsoft Defender access-control issue characterized by insufficient granularity and identified as being actively exploited. The agency emphasizes that this class of flaw is a frequent attack vector and presents significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the prescribed due date, and CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.
read more →

Amazon RDS Custom for SQL Server: GDR Updates Supported

🛡️ Amazon RDS Custom for SQL Server now supports the latest General Distribution Release (GDR) updates from Microsoft for SQL Server 2019 (CU32+GDR KB5077469, RDS version 15.00.4460.4.v1) and SQL Server 2022 (CU23+GDR KB5077464, RDS version 16.00.4240.4.v1). These GDRs remediate vulnerabilities tracked as CVE-2026-21262 and CVE-2026-26115. You can apply the recommended updates using the Amazon RDS Management Console or programmatically via the AWS SDK or CLI; see the Amazon RDS Custom User Guide for upgrade guidance.
read more →

Critical Terrarium Sandbox Flaw Enables Root Code Execution

⚠️ A critical vulnerability in the Python-based sandbox Terrarium (CVE-2026-5752) allows attackers to execute arbitrary code with root privileges by traversing JavaScript prototype chains in the Pyodide WebAssembly environment. Disclosed by CERT/CC and credited to researcher Jeremy Brown, the flaw permits sandbox escapes from Docker-deployed containers and can expose sensitive files or services. Because the project is no longer actively maintained, immediate mitigations are recommended, such as disabling untrusted code submissions and isolating containers.
read more →

Over 1,300 Microsoft SharePoint Servers Remain Unpatched

🚨 Over 1,300 Internet-exposed Microsoft SharePoint servers remain unpatched against CVE-2026-32201, a spoofing vulnerability Microsoft fixed in its April 2026 Patch Tuesday. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition and was flagged as a zero-day exploited in the wild. Fewer than 200 systems have been patched since the update; organizations should apply Microsoft's fixes or recommended mitigations immediately.
read more →

AI Compresses Attack Timelines: Network Resilience Tested

⚠️ Anthropic's reported Claude Mythos marks a shift: AI is compressing attack timelines by accelerating vulnerability discovery, exploit development, and multi-step attack planning. Attackers can now run malware, phishing, and vulnerability exploitation in parallel, reducing time to compromise and widening exposure. This trend demands prevention-first controls and real-time detection to identify and remediate gaps earlier, limiting impact.
read more →

Silex SD-330AC and AMC Manager: Multiple Critical Flaws

⚠️ Silex Technology released updates addressing multiple serious vulnerabilities in SD-330AC and AMC Manager that could permit remote code execution, denial-of-service, or unauthenticated configuration changes. Affected versions include SD-330AC ≤ 1.42 and AMC Manager ≤ 5.0.2; vendor fixes are SD-330AC firmware 1.50+ and AMC Manager 5.1.0+. CISA notes CVSS scores up to 9.8 and recommends applying vendor updates and interim mitigations such as disabling HTTP/HTTPS for impacted functions, setting web-interface passwords, and disabling SNMP.
read more →

CISA Adds Eight Exploited Flaws to KEV Catalog, Fixes Needed

⚠️ CISA added eight vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation and highlighting three flaws in Cisco Catalyst SD-WAN Manager. The list includes high-impact issues such as CVE-2025-32975 (Quest KACE SMA, CVSS 10.0) and authentication, path traversal, and XSS flaws in PaperCut, TeamCity, Kentico, and Zimbra. CISA noted prior ties of CVE-2023-27351 to Lace Tempest and recent Arctic Wolf telemetry on KACE abuse; Cisco confirmed active exploitation of two SD-WAN flaws in March 2026. Federal civilian agencies are urged to remediate the three Cisco vulnerabilities by April 23, 2026, and the remaining flaws by May 4, 2026.
read more →

Critical SGLang RCE via Malicious GGUF Model (CVE-2026-5760)

⚠️ A critical vulnerability (CVE-2026-5760) in SGLang allows remote code execution via specially crafted GGUF model files. The flaw targets the /v1/rerank endpoint, where a malicious tokenizer.chat_template containing a Jinja2 SSTI payload is rendered using an unsandboxed jinja2.Environment(), enabling arbitrary Python execution. Researcher Stuart Beck reported the issue to CERT/CC, which recommends replacing jinja2.Environment() with ImmutableSandboxedEnvironment to mitigate the risk. No patch was obtained during coordination.
read more →

Critical RCE in protobuf.js due to unsafe code gen

⚠️ A critical remote code execution vulnerability has been disclosed in protobuf.js, the widely used JavaScript implementation of Google's Protocol Buffers, caused by unsafe dynamic code generation that concatenates schema-derived identifiers into functions. An attacker who can supply or influence schemas can inject arbitrary JavaScript into a generated Function() call, which executes when the crafted schema is processed. Maintainers and Endor Labs urge immediate upgrades to patched releases and recommend treating schema-loading as untrusted while auditing transitive dependencies.
read more →

Critical Thymeleaf Sandbox Bypass Patched in Java Template

⚠️ Maintainers of Thymeleaf released a patch addressing a critical Server-Side Template Injection (SSTI) vulnerability, tracked as CVE-2026-40478, that allows unauthenticated attackers to execute expressions and run code. The flaw bypasses Thymeleaf’s sandbox protections by exploiting control characters in expressions and improper class restrictions. All versions prior to 3.1.4.RELEASE are affected, there is no workaround, and organizations should upgrade immediately.
read more →

Attempted Exploitation of CVE-2023-33538 in TP‑Link Routers

🔎 Unit 42 observed automated scans targeting CVE-2023-33538 in several end-of-life TP‑Link routers (TL‑WR940N, TL‑WR740N, TL‑WR841N). Payloads resembled Mirai-like botnet binaries and attempted to download and execute an arm7 ELF, but in-the-wild attempts were flawed and generally failed. Emulation and reverse engineering confirmed a real command-injection flaw in the ssid1 parameter that reaches a system shell, but successful exploitation requires web authentication (default credentials like admin:admin remain a practical risk). TP‑Link lists the devices as EOL with no patches; Unit 42 recommends replacing affected units and avoiding default credentials while using layered protections.
read more →

Foxit Reader and LibRaw Vulnerabilities — Talos Advisory

🔒 Cisco Talos disclosed a use-after-free flaw in Foxit Reader (TALOS-2026-2365 / CVE-2026-3779) exploitable via malicious PDF JavaScript, and six vulnerabilities in LibRaw including heap-based buffer overflows and integer overflows across multiple CVEs. All issues were patched by vendors following Cisco’s disclosure policy. Administrators should apply vendor updates and deploy Snort rules from Talos to detect exploitation.
read more →

ThreatsDay: Defender 0-Day, Excel RCE and Supply Chain Risks

🛡️ This week's bulletin highlights both legacy and emerging threats, including a published Microsoft Defender privilege escalation exploit (RedSun) and a 17‑year‑old Excel RCE (CVE‑2009‑0238) newly added to CISA's KEV. Incidents range from a Zerion hot-wallet compromise (~$100K stolen through AI‑enabled social engineering) to a fake macOS Ledger app that drained about $9.5M. Researchers also disclosed novel C2 frameworks, a WordPress plugin supply-chain backdoor affecting 180k+ installs, and a surge in SonicWall/FortiGate brute-force probing. The collection underscores the need to patch promptly, validate app-store integrity, rotate credentials, and audit third-party dependencies.
read more →

Glasswing’s Public Record: Just One Confirmed CVE Now

🔍VulnCheck's analysis indicates Anthropic's controlled-access Project Glasswing has only one publicly attributable CVE: CVE-2026-4747, a FreeBSD NFS remote code execution flaw described as autonomously identified and exploited. Researcher Patrick Garrity reviewed the CVE database and found 75 records mentioning Anthropic, but only 40 credited to its researchers and a single CVE tied explicitly to Glasswing. Industry observers warn that public attribution may understate the model's potential, and Anthropic plans a fuller accounting by July 2026.
read more →

AI Firms Urged into Larger Role in CVE Disclosures Now

🔒 At VulnCon26 in April, Lindsey Cerkovnik of CISA urged that AI firms like OpenAI and Anthropic be more directly represented in the CVE program to help manage a surge in reported vulnerabilities. She warned that new AI tools both accelerate discovery of valid flaws and generate lower-value noise, putting pressure on disclosure workflows. Recent vendor developments — Anthropic’s Mythos Preview and OpenAI’s GPT-5.4-Cyber — illustrate how automated research is already changing the threat landscape. Cerkovnik said CVE funding is secure and the program remains a CISA priority.
read more →

Composer Perforce VCS Flaws Enable Command Execution

⚠️ Two high-severity vulnerabilities in Composer's Perforce VCS driver (CVE-2026-40176, CVSS 7.8; CVE-2026-40261, CVSS 8.8) can enable arbitrary command injection when processing a malicious repository configuration or a crafted source reference. The issues affect releases prior to 2.9.6 and 2.2.27 and are fixed in those versions; users should upgrade immediately. If you cannot patch, inspect composer.json files for Perforce fields, restrict repositories to trusted sources, and avoid dist-preferred installs. Composer reported no evidence of public exploitation and disabled Perforce metadata publishing on Packagist.org as a precaution.
read more →

ShowDoc RCE CVE-2025-0520 Exploited on Unpatched Servers

⚠️ A critical remote code execution vulnerability, tracked as CVE-2025-0520 (aka CNVD-2020-26585), is being actively exploited against unpatched instances of ShowDoc. The flaw is an unrestricted, unauthenticated file upload caused by improper file-extension validation, allowing attackers to deploy PHP web shells and execute arbitrary code. The bug was fixed in ShowDoc 2.8.7 (October 2020) and the project now ships as version 3.8.1, but researchers observed an exploit dropping a web shell on a U.S.-based honeypot and note more than 2,000 internet-facing instances, most located in China. Administrators should upgrade immediately and scan for signs of compromise.
read more →

Anthropic’s Mythos Preview and Project Glasswing Risks

🔍 Anthropic's new Claude Mythos Preview and its Project Glasswing effort have focused industry attention on AI-driven cyberattack capabilities. Anthropic says it will not release the model publicly, citing the risk that it can automatically generate operational exploits, and is running the model against public and proprietary code to find and patch vulnerabilities before they can be weaponized. The announcement produced substantial PR impact, prompting rival vendors to echo similar caution. Security observers note defenders still hold an advantage—finding flaws is easier than turning them into attacks—but that margin is shrinking as models improve.
read more →