bleepingcomputer.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-26.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-26 2026 | CISA sets urgent deadline to fix Cisco flaw exploited in attacksRCE | CISA has issued an urgent directive demanding that federal agencies patch a critical vulnerability in Cisco Adaptive Security Appliance (ASA) software and Cisco Firepower Threat Defense (FTD) software. The flaw, identified as CVE-2020-26818, has already been actively exploited by malicious actors in ongoing attacks. Agencies have been given until Monday, April 24th, to implement necessary security updates and mitigate the risk posed by this vulnerability. Failure to comply by the deadline could result in further action from CISA. |
| 2026-06-26 2026 | Polymarket customers lose $3 million in supply-chain attackSupply Chain | Polymarket customers have lost approximately $3 million due to a sophisticated supply-chain attack. The incident involved compromised dependencies, allowing attackers to gain unauthorized access and drain funds from user accounts. The platform is investigating the breach and working to secure its systems. No specific bounty payout amount was mentioned in the provided content. |
| 2026-06-23 2026 | LastPass confirms data breach in Klue supply chain attackSupply Chain | Writeup detailing the LastPass data breach resulting from a Klue supply chain attack. Hackers, identified as the Icarus extortion group, leveraged compromised legacy credentials to access Klue's infrastructure, stealing OAuth tokens that provided access to LastPass's Salesforce environment. Exposed customer data includes names, phone numbers, email addresses, physical addresses, and support case information, potentially leading to phishing and social engineering attacks. LastPass has taken steps to mitigate the incident, including disabling access to Klue and rotating exposed tokens. |
| 2026-06-22 2026 | FFmpeg fixes PixelSmash flaw in widely used video decoderRCE | Library fixes for CVE-2026-8461, the 'PixelSmash' heap out-of-bounds write in FFmpeg's MagicYUV decoder, mitigate remote code execution and denial-of-service vulnerabilities in applications like Jellyfin, Kodi, Emby, and OBS Studio. The flaw can be triggered by malicious video files and poses a supply-chain risk due to its presence in hundreds of projects relying on FFmpeg. Exploitation for RCE may require bypassing ASLR, potentially through chaining with other vulnerabilities. |
| 2026-06-22 2026 | Microsoft fixes AutoGen Studio flaw that enabled code executionRCE | Writeup of AutoJack, a vulnerability chain in Microsoft's AutoGen Studio, detailing how attackers could manipulate AI agents into executing arbitrary commands. The chain exploits weaknesses in WebSocket trust, authentication middleware, and URL parameter handling to enable remote code execution by tricking a browsing agent into loading malicious JavaScript. Microsoft remediated the flaw before its PyPI release, limiting exposure to developers building from source during a specific window. |
| 2026-06-20 2026 | Microsoft links Mastra AI supply chain attack to North Korean hackersSupply Chain | Analysis of the Mastra AI supply chain attack, attributed to North Korean threat actor Sapphire Sleet (BlueNoroff), details a compromise of over 140 npm packages. Attackers hijacked an npm maintainer account to publish malicious updates, introducing a typosquatted dependency, "easy-day-js," which acted as a malware dropper. This dropper targeted Windows, Linux, and macOS systems, aiming to steal credentials, API keys, and cryptocurrency wallets, including those from MetaMask, Phantom, and Coinbase Wallet, utilizing tactics previously associated with Sapphire Sleet campaigns. |
| 2026-06-18 2026 | F5 issues out-of-band patches for critical NGINX vulnerabilitiesRCE | Patches address critical NGINX vulnerabilities, including CVE-2026-42530 (ngx_http_v3_module) and CVE-2026-42055 (ngx_http_proxy_v2_module, ngx_http_grpc_module), allowing unauthenticated attackers remote code execution via use-after-free or heap-based buffer overflow. Mitigation for CVE-2026-42530 involves disabling HTTP/3, and for CVE-2026-42055, removing `ignore_invalid_headers off` and reducing `large_client_header_buffers`. High-severity NGINX Gateway Fabric flaws, CVE-2026-11311 and CVE-2026-50107, enable authenticated attackers to inject NGINX configuration directives. |
| 2026-06-12 2026 | Early Warning Signs of Supply-Chain Attacks Live in the Dark WebSupply Chain | Survey of underground forum posts reveals early warning signs of supply-chain attacks by identifying compromised GitHub access, private repositories, source code exposure, API keys, OAuth tokens, CI/CD data, and vendor-related leaks. These seemingly ordinary access sales can expose secrets, deployment scripts, cloud credentials, and internal workflows, enabling attackers to compromise trusted software builds, deployments, and integrations, as demonstrated by incidents like Vercel, Sportradar, Mistral AI, Shai-Hulud, LiteLLM, and malicious VS Code extensions. |
| 2026-06-11 2026 | Microsoft June 2026 Patch Tuesday fixes 6 zero-days 200 flawsRCE | Microsoft's June 2026 Patch Tuesday addresses 200 vulnerabilities, including six zero-days that were actively exploited. This update is crucial for users to protect their systems from known and potential threats. The focus on zero-days highlights the immediate need for patching to prevent exploitation of previously unknown weaknesses. |
| 2026-06-11 2026 | Max severity Ivanti Sentry vulnerability now exploited in attacksRCE | Writeup of CVE-2026-10520 exploitation targeting Ivanti Sentry. Attackers are actively exploiting this maximum-severity OS command injection vulnerability on Internet-exposed secure mobile gateways to achieve root privilege code execution. Exploitation began shortly after Ivanti released patches, with Shadowserver reporting at least two backdoored instances and warning that most exposed gateways are likely compromised. This follows a pattern of active exploitation of Ivanti vulnerabilities, including multiple zero-days in EPMM, impacting government agencies and other organizations. |
| 2026-06-10 2026 | The Miasma worm source code briefly leaked on GitHubSupply Chain | Analysis of Miasma, a credential-stealing attack framework that evolved from the Shai-Hulud worm, details its self-propagating supply-chain attacks. This framework, briefly leaked on GitHub, targets developer machines and cloud credentials to compromise repositories, packages, and AI coding tools like Claude and Copilot. It leverages GitHub for command-and-control, employs advanced multi-stage payload obfuscation, and includes a destructive "dead-man switch" that wipes user files if stolen tokens are revoked. The leak is expected to accelerate adoption and evolution of similar attack techniques. |
| 2026-06-10 2026 | GitHub announces npm security changes to tackle supply-chain attacksSupply Chain | Library announces security changes in npm v12 to combat supply-chain attacks, mandating explicit approval for execution of pre/postinstall scripts, native module builds, and prepare scripts from Git/local/linked dependencies. It will also require explicit permission for fetching dependencies from Git repositories and remote URLs, disrupting techniques used in attacks like Shai-Hulud and those targeting eslint-config-prettier and Toptal's Picasso packages. Developers can prepare by upgrading to npm 11.16.0 for warnings on upcoming breaking changes. |
| 2026-06-10 2026 | Microsoft patches Exchange Server zero-day exploited in attacksXSS | Patching advisory for CVE-2026-42897 details a critical spoofing vulnerability in Microsoft Exchange Server 2016, 2019, and SE. Exploitable remotely without privileges, it allows arbitrary JavaScript execution via specially crafted emails opened in Outlook Web Access. Microsoft urges immediate deployment of June 2026 Security Updates. CISA has added this actively exploited flaw to its known exploited vulnerabilities catalog, mandating swift patching for U.S. government agencies. |
| 2026-06-10 2026 | Ivanti: Max severity Sentry flaw allows code execution as rootRCE | Writeup of CVE-2026-10520, a maximum-severity OS command injection vulnerability in Ivanti Sentry, allowing root code execution. Patched in Sentry versions R10.5.2, R10.6.2, and R10.7.1, this flaw joins CVE-2026-10523, an authentication bypass for rogue admin account creation. Ivanti has no evidence of exploitation for these flaws, but advises immediate upgrades due to past targeting of Ivanti products. |
| 2026-06-10 2026 | ServiceNow discloses security incident exposing customer dataAPI Sec | Incident report detailing a security flaw in ServiceNow's `/api/now/related_list/edit` REST endpoint, allowing unauthenticated access to customer instance data. Attackers exploited this vulnerability, potentially exposing sensitive information within IT support tickets, employee records, and system configurations. ServiceNow applied a security update to restrict access to authenticated users, and administrators are advised to review logs for suspicious activity, particularly requests from `51.159.98.241`, and to audit exposed records and shared credentials. |
| 2026-06-09 2026 | New Veeam vulnerability exposes backup servers to RCE attacksRCE | Writeup detailing CVE-2026-44963, a critical remote code execution flaw in Veeam Backup & Replication (VBR) versions 12.3.2.4465 and earlier, which allows authenticated domain users to compromise backup servers. This vulnerability impacts domain-joined installations, a configuration that deviates from Veeam's best practices. The article highlights the history of VBR flaws being exploited by ransomware gangs like Akira, Fog, Frag, FIN7, and Cuba, and notes that reverse-engineering of patches is likely to occur. Veeam has released patches in version 12.3.2.4854. |
| 2026-06-08 2026 | Gogs patches critical zero-day enabling remote code executionRCE | Library addressing a critical zero-day argument injection vulnerability in Gogs, allowing authenticated, non-admin users to achieve remote code execution. This flaw, affecting versions up to 0.14.2 and 0.15.0+dev, enables attackers to compromise servers, access private repositories, steal credentials, and alter source code. Rapid7 researcher Jonah Burgess discovered and reported the vulnerability, which is exploitable on default configurations with open registration and no repository creation limits. The fix, implemented in Gogs version 0.14.3, addresses a similar attack vector to previously patched issues like CVE-2024-39933 and CVE-2025-8110. |
| 2026-06-08 2026 | Critical UniFi OS bug lets hackers gain root without authenticationRCE | Writeup detailing an unauthenticated root remote code execution chain against Ubiquiti UniFi OS Server, exploiting CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910. Researchers from Bishop Fox discovered how improper access control, path traversal, and command injection flaws can be combined to bypass authentication and gain root privileges. A detection script is available to identify vulnerable instances. |
| 2026-06-04 2026 | Hola Browser for Windows compromised to deliver cryptominerSupply Chain | Library compromised to deliver cryptominer. The Windows version of Hola Browser, built on Chromium, experienced a supply chain attack where an undeclared executable named ‘me.exe’ was installed, later identified as a Monero cryptocurrency miner. This malicious component added Windows Defender exclusion rules, copied itself as ‘HolaMonitorService.exe,’ created an auto-starting service, and ran during idle periods. Hola confirmed the supply chain compromise, stating approximately 0.1% of users were affected without evidence of data theft. |
| 2026-06-04 2026 | New IronWorm malware hits 36 packages in npm supply-chain attackSupply Chain | Library infections by the IronWorm malware on npm's registry targeted 36 packages, stealing OpenAI, AWS, and npm credentials, SSH keys, and cryptocurrency wallet data. Written in Rust, IronWorm utilizes an eBPF rootkit and communicates via Tor, self-propagating by publishing trojanized package versions using stolen npm Trusted Publishing credentials. The malware leverages GitHub Actions to exfiltrate secrets as build artifacts and exhibits similarities to the Shai Hulud supply-chain attack. |
| 2026-06-03 2026 | CISA flags two-year-old Oracle flaw as actively exploited in attacksRCE | Advisory regarding CVE-2024-21182, a critical Oracle WebLogic Server vulnerability, now actively exploited. CISA mandated federal agencies patch this flaw, exploitable remotely by unauthenticated attackers via T3 or IIOP to gain unauthorized access. Over 1,500 vulnerable Oracle WebLogic servers have been identified online. This advisory highlights the urgency of patching known vulnerabilities, especially those flagged by CISA as being actively exploited. |
| 2026-06-01 2026 | Critical Windows Netlogon RCE flaw now exploited in attacksRCE | Writeup on CVE-2026-41089, a critical Windows Netlogon RCE flaw, details its exploitation by threat actors. This stack-based buffer overflow in the Netlogon RPC interface allows unprivileged attackers to achieve remote code execution on domain controllers. Patched by Microsoft during May 2026 Patch Tuesday, it affects all supported Windows Server versions. The Centre for Cybersecurity Belgium has warned of active exploitation in the wild. |
| 2026-05-28 2026 | New Gogs zero-day flaw lets hackers get remote code executionRCE | Library for analyzing Gogs zero-day RCE vulnerabilities, including an unpatched argument injection flaw enabling remote code execution via specially crafted pull requests and malicious branch names. This critical vulnerability, affecting Gogs 0.14.2 and 0.15.0+dev, allows authenticated attackers to compromise servers, access private repositories, and extract credentials. The flaw resembles previously patched argument injection issues like CVE-2024-39933 and CVE-2024-39932, but targets a different code path. |
| 2026-05-27 2026 | Glassworm botnet disrupted after resilient C2 infrastructure takedownSupply Chain | Analysis of Glassworm botnet disruption details its resilient C2 infrastructure, which leveraged Solana blockchain transactions, BitTorrent DHT, Google Calendar, and direct server connections. Researchers from CrowdStrike, Google, and The Shadowserver Foundation simultaneously took down these four channels, preventing infected machines from receiving new instructions or payloads. The report highlights Glassworm's targeting of developers through malicious OpenVSX and VS Code extensions, as well as npm packages, and provides YARA rules to identify infections. |
| 2026-05-26 2026 | CISA orders feds to patch actively exploited Drupal vulnerabilitySQLi | Vulnerability writeup detailing CVE-2026-9082, an actively exploited SQL injection flaw in Drupal's database abstraction API. Discovered by Michael Maturi and flagged as highly critical, this unauthenticated vulnerability allows attackers to target PostgreSQL-powered sites, potentially leading to information disclosure, privilege escalation, and remote code execution. CISA mandated U.S. federal agencies to patch by May 27th, citing its inclusion in the Known Exploited Vulnerabilities catalog and its frequent use as an attack vector. |
| 2026-05-24 2026 | Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaignSQLi | Writeup of CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, details its exploitation in large-scale ClickFix campaigns. Threat actors leverage the flaw to steal admin API keys, injecting malicious JavaScript into articles to deploy payloads like the UtilifySetup.exe malware. Vulnerable versions range from 3.24.0 to 6.19.0, with attacks impacting numerous domains, including prominent universities and tech companies. Mitigation involves upgrading to Ghost CMS 6.19.1 or later, rotating API keys, and reviewing logs for indicators of compromise. |
| 2026-05-22 2026 | Drupal: Critical SQL injection flaw now targeted in attacksSQLi | Writeup of CVE-2026-9082, a critical SQL injection vulnerability in Drupal's database abstraction API, discovered by Michael Maturi. This flaw allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to remote code execution, privilege escalation, and information disclosure, particularly when using PostgreSQL. Exploitation attempts are actively being detected in the wild. Administrators are urged to update to patched versions of Drupal immediately, as older unsupported versions pose significant risks. |
| 2026-05-21 2026 | GitHub links repo breach to TanStack npm supply-chain attackSupply Chain | Writeup detailing the Nx Console VS Code extension compromise, which was exploited by the TeamPCP group to breach 3,800 GitHub repositories. This supply-chain attack, originating from a TanStack npm compromise, leveraged stolen CI/CD credentials and a malicious Nx Console payload designed to exfiltrate secrets from npm, AWS, Kubernetes, GitHub, and GCP/Docker. The compromised extension, version 18.95.0, was available on the Visual Studio Marketplace and OpenVSX for a limited time, impacting approximately 6000 VS Code users. |
| 2026-05-19 2026 | Max-severity flaw in ChromaDB for AI apps allows server hijackingPython | Vulnerability in ChromaDB allows unauthenticated attackers to execute arbitrary code on exposed servers, tracked as CVE-2026-45829. This flaw in the Python API server logic enables attackers to embed malicious model settings before authentication, forcing ChromaDB to load and execute a harmful model from platforms like Hugging Face. Mitigation includes using the Rust frontend, restricting network access, and scanning ML model artifacts before runtime. |
| 2026-05-14 2026 | OpenAI confirms security breach in TanStack supply chain attackSupply Chain | Library impacting hundreds of npm and PyPI packages, the TanStack supply chain attack, also known as Mini Shai-Hulud, led to OpenAI confirming a breach on two employee devices. While no customer data or production systems were compromised, attackers exfiltrated limited credentials from internal repositories, prompting OpenAI to rotate code-signing certificates for its applications. The campaign utilized compromised GitHub Actions workflows and CI/CD configurations to inject malicious code and publish trojanized package versions, targeting developer and cloud credentials, including GitHub tokens and AWS credentials, and establishing persistence via modified code hooks. |
| 2026-05-14 2026 | 18-year-old NGINX vulnerability allows DoS potential RCERCE | Library for detecting CVE-2026-42945, an 18-year-old heap buffer overflow in NGINX's ngx_http_rewrite_module, which can lead to denial of service and, under specific conditions like disabled ASLR, remote code execution. This flaw, affecting versions 0.6.27 through 1.30.0, arises from inconsistent state handling during URI processing when 'rewrite' and 'set' directives are used together. The library would likely target this vulnerability and potentially the three other memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) discovered alongside it. |
| 2026-05-13 2026 | New critical Exim mailer flaw allows remote code executionRCE | Writeup of CVE-2026-45185, a critical user-after-free vulnerability in Exim mail transfer agent versions 4.97 through 4.99.2 compiled with GnuTLS. This flaw allows unauthenticated remote code execution by exploiting a TLS shutdown issue during BDAT chunked SMTP traffic. XBOW's AI-assisted research aided in developing a proof-of-concept exploit, highlighting the evolving landscape of vulnerability discovery and exploitation. |
| 2026-05-12 2026 | Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticatorRCE | Writeup detailing critical RCE vulnerabilities in Fortinet products. CVE-2026-44277, an Improper Access Control flaw in FortiAuthenticator, and CVE-2026-26083, a missing authorization weakness in FortiSandbox, allow unauthenticated attackers to execute unauthorized code via crafted requests. These flaws, while not reported as exploited in the wild, follow a pattern of actively exploited Fortinet vulnerabilities, including previous issues in FortiClient EMS. |
| 2026-05-12 2026 | Instructure confirms hackers used Canvas flaw to deface portalsXSS | Writeup on ShinyHunters exploiting cross-site scripting (XSS) vulnerabilities in Instructure's Canvas LMS. Attackers used these flaws to gain authenticated admin sessions, deface login portals with extortion messages, and exfiltrate over 3.6 terabytes of data. The attacks targeted the Free-for-Teacher environment, leading to temporary downtime and account closures. |
| 2026-05-08 2026 | DAEMON Tools devs confirm breach release malware-free versionSupply Chain | Writeup of DAEMON Tools supply chain attack confirming trojanized installers for version 12.5.1 (free). Hackers used digitally signed installers to backdoor systems, deploying an information stealer and a lightweight backdoor, with QUIC RAT malware observed in at least one instance. Disc Soft Limited released a malware-free version, 12.6, addressing the vulnerability. |
| 2026-05-07 2026 | Ivanti warns of new EPMM flaw exploited in zero-day attacksRCE | Writeup of CVE-2026-6973, a critical Improper Input Validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM) exploited in zero-day attacks. This flaw allows remote attackers with administrative privileges to execute arbitrary code on EPMM versions 12.8.0.0 and earlier. Ivanti recommends patching to EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and rotating admin credentials. Four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) were also patched. |
| 2026-05-06 2026 | Palo Alto Networks warns of firewall RCE zero-day exploited in attacksRCE | Writeup of CVE-2026-0300, a critical PAN-OS zero-day exploited in attacks. This buffer overflow vulnerability affects the User-ID Authentication Portal on Internet-exposed PA-Series and VM-Series firewalls, allowing unauthenticated attackers to achieve root-level remote code execution. Palo Alto Networks recommends restricting access to trusted zones or disabling the portal until a patch is released, with initial fixes expected May 13, 2026. |
| 2026-05-05 2026 | DAEMON Tools trojanized in supply-chain attack to deploy backdoorSupply Chain | Writeup detailing a supply-chain attack that trojanized DAEMON Tools installers, versions 12.5.0.2421 through 12.5.0.2434, delivering a backdoor to thousands of systems globally since April 8. The attack compromised DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, leading to initial infections and targeted deployments of a lightweight backdoor and, in one instance, the QUIC RAT, to high-value targets in retail, scientific, government, and manufacturing sectors across Russia, Belarus, and Thailand. |
| 2026-05-04 2026 | Weaver E-cology critical bug exploited in attacks since MarchRCE | Library for Weaver E-cology office automation addressing CVE-2026-22679, a critical unauthenticated remote code execution flaw in versions prior to March 12. Exploited since March, the vulnerability stems from an exposed debug API endpoint allowing attackers to execute system commands via improperly validated user parameters. Attackers leveraged this for discovery commands like `whoami`, `ipconfig`, and `tasklist`, and attempted PowerShell-based payload downloads. The vendor's fix removes the debug endpoint entirely, making upgrades essential. |
| 2026-04-29 2026 | Hackers exploit RCE flaws in Qinglong task scheduler for cryptominingRCE | Library for securing the Qinglong open-source task scheduler, addressing CVE-2026-3965 and CVE-2026-4047. These vulnerabilities, stemming from authentication bypass and path traversal flaws in versions 2.20.1 and older, allow for remote code execution. Attackers have been exploiting these issues to deploy cryptominers, disguised by the process name '.fullgc,' on developer servers by injecting shell commands into `config.sh` and downloading binaries from `file.551911.xyz`. |
| 2026-04-29 2026 | GitHub fixes RCE flaw that gave access to millions of private reposRCESupply Chain | Writeup of CVE-2026-3854, a critical RCE vulnerability affecting GitHub.com and GitHub Enterprise Server, allowing attackers with push access to gain read/write access to millions of private repositories. The flaw stems from unsanitized user-supplied options during 'git push' operations, enabling arbitrary code execution and potential server compromise. Administrators of GitHub Enterprise Server instances are urged to upgrade immediately, as a significant percentage remain vulnerable. |
| 2026-04-28 2026 | Hackers are exploiting a critical LiteLLM pre-auth SQLi flawSQLi | Library for securing LiteLLM, an open-source LLM gateway, against the CVE-2026-42208 pre-authentication SQL injection vulnerability. Attackers exploit this flaw in the API key verification step to access and modify sensitive data, including API keys, credentials, and environment secrets. The vulnerability allows unauthorized access to the proxy and managed credentials, with active exploitation observed targeting specific tables containing secrets from providers like OpenAI and Anthropic. A fix is available in LiteLLM version 1.83.7. |
| 2026-04-24 2026 | Over 10000 Zimbra servers vulnerable to ongoing XSS attacksXSS | Writeup of CVE-2025-48700, an ongoing XSS vulnerability impacting over 10,000 Zimbra Collaboration Suite instances. Exploitable by unauthenticated attackers, this flaw allows arbitrary JavaScript execution, enabling sensitive information access. Patched in June 2025, it has been actively abused in the wild, leading to CISA's inclusion in its Known Exploited Vulnerabilities Catalog and an order for Federal Civilian Executive Branch agencies to secure affected servers. Previous Zimbra vulnerabilities have also been exploited by APT28 and Russian Winter Vivern. |
| 2026-04-24 2026 | Hackers exploit file upload bug in Breeze Cache WordPress pluginRCE | Library for detecting and preventing arbitrary file uploads, specifically addressing CVE-2026-3844 in the Breeze Cache WordPress plugin. This critical vulnerability, with a severity score of 9.8, allows unauthenticated attackers to achieve remote code execution (RCE) by exploiting a missing file-type validation in the ‘fetch_gravatar_from_remote’ function when the “Host Files Locally - Gravatars” add-on is enabled. Versions up to 2.4.4 are affected. |
| 2026-04-23 2026 | New Checkmarx supply-chain breach affects KICS analysis toolSupply Chain | Library compromise affects Checkmarx KICS, its Docker images, and VS Code extensions, with attackers injecting a hidden 'MCP addon' to steal credentials including GitHub tokens, AWS, Azure, and Google Cloud credentials, npm tokens, SSH keys, Claude configs, and environment variables, exfiltrating them to audit.checkmarx[.]cx. Affected users should block access to malicious domains, use pinned SHAs, revert to safe versions like DockerHub KICS v2.1.20, and rotate secrets. |
| 2026-04-22 2026 | Microsoft releases emergency patches for critical ASP.NET flawAPI Sec | Library updates address critical ASP.NET Core privilege escalation vulnerability (CVE-2026-40372) in Data Protection cryptographic APIs. This flaw allows unauthenticated attackers to forge authentication cookies, potentially gaining SYSTEM privileges, disclosing files, and modifying data. The regression impacts Microsoft.AspNetCore.DataProtection NuGet packages from 10.0.0-10.0.6. Updates to 10.0.7 are recommended, followed by key ring rotation for full remediation. Previously, Microsoft patched an HTTP request smuggling bug (CVE-2025-55315) in the Kestrel web server. |
| 2026-04-22 2026 | New npm supply-chain attack self-spreads to steal auth tokensSupply Chain | Library for detecting and defending against npm supply-chain attacks. This worm-like malware self-propagates by injecting malicious code into packages, stealing developer credentials, API keys, cloud service secrets, cryptocurrency wallets (MetaMask, Exodus), and targeting AI agent tooling and database operations. It can also exfiltrate data from CI/CD systems, registries, and LLM platforms, and has been observed targeting PyPI packages with .pth-based payloads. Socket and StepSecurity offer indicators of compromise and remediation guidance, advising immediate removal of affected packages and rotation of all exposed secrets. |
| 2026-04-21 2026 | Actively exploited Apache ActiveMQ flaw impacts 6400 serversRCE | Writeup on CVE-2026-34197, a code injection vulnerability in Apache ActiveMQ Classic, impacting over 6,400 exposed servers. Discovered by Horizon3 researcher Naveen Sunkavally, the flaw allows authenticated actors to execute arbitrary code due to improper input validation. Patched in versions 6.2.3 and 5.19.4, this actively exploited vulnerability has been a repeated target, with CISA urging federal agencies to secure their systems. Exploitation indicators include suspicious broker connections with VM transport and the brokerConfig=xbean:http:// parameter. Previous exploited ActiveMQ flaws include CVE-2016-3088 and CVE-2023-46604. |
| 2026-04-19 2026 | LiteLLM PyPI Package Compromised in TeamPCP Supply Chain AttackPython | Library compromised in a supply-chain attack, where malicious versions of the LiteLLM Python package (1.82.7 and 1.82.8) were uploaded to PyPI by the TeamPCP hacking group. These versions deployed an infostealer that harvested sensitive data including SSH keys, cloud credentials, Kubernetes secrets, and cryptocurrency wallet data. The payload also attempted lateral movement and installed a persistent systemd backdoor, exfiltrating data to attacker-controlled infrastructure. Organizations are advised to rotate credentials and inspect systems for persistence artifacts. |
| 2026-04-18 2026 | Critical flaw in Protobuf library enables JavaScript code executionRCE | Library vulnerability GHSA-xq3m-2v4x-88gg, a critical RCE flaw in protobuf.js, arises from unsafe dynamic code generation. Attackers can inject arbitrary JavaScript code by supplying malicious schemas, leading to code execution on servers or developer machines. Endor Labs identified the issue, impacting versions 8.0.0/7.5.4 and lower, with patches available in 8.0.1 and 7.5.5. Mitigation involves upgrading, auditing dependencies, and treating schema loading as untrusted input. |
| 2026-04-16 2026 | Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging FaceRCE | Writeup detailing the exploitation of Marimo CVE-2026-39987, which allows remote code execution and deployment of NKAbuse malware. Attackers leverage Hugging Face Spaces, posing as legitimate AI tools, to host dropper scripts and malware binaries. The payload, a variant of NKAbuse, functions as a remote access trojan with capabilities for shell command execution and data exfiltration, including credential theft from environment variables and Redis servers. Exploitation has increased in volume and tactics, with affected users urged to upgrade Marimo to version 0.23.0 or later, or block external access to the `/terminal/ws` endpoint. |
| 2026-04-14 2026 | Microsoft April 2026 Patch Tuesday fixes 167 flaws 2 zero-daysRCE | Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days https://ift.tt/nLAl5mZ |
| 2026-04-13 2026 | OpenAI rotates macOS certs after Axios attack hit code-signing workflowSupply Chain | Library for securing applications against supply chain attacks, exemplified by OpenAI's response to a malicious Axios package compromising its GitHub Actions workflow. This incident, linked to UNC1069, led to the rotation of macOS code-signing certificates used for ChatGPT Desktop, Codex, and Atlas to prevent potential misuse of the signing key for distributing malware. OpenAI's investigation found no evidence of compromised certificates or user data, but users must update macOS applications to versions signed with new certificates before May 8, 2026, to avoid functionality loss. |
| 2026-04-12 2026 | Critical Marimo pre-auth RCE flaw now under active exploitationRCE | Writeup detailing CVE-2026-39987, a critical pre-authentication RCE vulnerability in Marimo versions 0.20.4 and earlier. Exploitable via the unauthenticated WebSocket endpoint '/terminal/ws', attackers can gain an interactive shell with the Marimo process's privileges. Active exploitation observed within hours of disclosure, with attackers exfiltrating credentials and SSH keys. Sysdig researchers noted a methodical operator targeting high-value information. Mitigation includes upgrading to version 0.23.0, restricting external access, or disabling the '/terminal/ws' endpoint. |
| 2026-04-11 2026 | 10,000+ Docker Hub Images Leaking CredentialsSecrets | Analysis of 10,000+ Docker Hub images reveals widespread credential and authentication key leaks affecting over 100 organizations, including a Fortune 500 company and a national bank. Researchers at Flare identified exposed secrets like OpenAI, HuggingFace, and Gemini API keys, GitHub tokens, and database credentials within container images and manifests. Common vulnerabilities stem from `.env` files and hardcoded secrets in application files, impacting cloud environments, CI/CD systems, and Git repositories. While some developers revoked keys within 48 hours, 75% of exposed secrets remained unrevoked, posing ongoing risks. |
| 2026-04-10 2026 | Supply chain attack at CPUID pushes malware with CPU-Z/HWMonitorSupply Chain | Library for analyzing supply chain attacks, specifically detailing a compromise at CPUID that distributed malware via trojanized versions of CPU-Z and HWMonitor. The attack involved DLL sideloading using a malicious CRYPTBASE.dll and delivered the STX RAT infostealer. This incident highlights a pattern targeting widely used utilities, similar to a prior FileZilla compromise. |
| 2026-04-10 2026 | Dangerous runC Flaws Allow Hackers to Escape Docker ContainersRCE | Vulnerabilities in runC, CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, allow attackers with custom mount configurations to escape Docker and Kubernetes containers by exploiting bind-mounts and symlink race conditions to gain root privileges on the host system. Fixes are available in later runC versions, and mitigations include user namespaces and rootless containers. |
| 2026-04-10 2026 | Max Severity Flowise RCE Vulnerability Now Exploited in AttacksRCE | Library for securing Flowise, an open-source platform for LLM apps. It addresses CVE-2025-59528, a critical RCE vulnerability allowing arbitrary JavaScript code injection via the CustomMCP node. Developers should upgrade to version 3.0.6 or later to mitigate this threat, which has already been observed in active exploitation. Other Flowise vulnerabilities, CVE-2025-8943 and CVE-2025-26319, have also seen in-the-wild exploitation. |
| 2026-04-08 2026 | 13-year-old bug in ActiveMQ lets hackers remotely execute commandsRCE | Writeup detailing CVE-2026-34197, a 13-year-old remote code execution vulnerability in Apache ActiveMQ Classic affecting versions before 5.19.4 and 6.2.3. Discovered using Claude AI, the flaw allows attackers to execute arbitrary commands by exploiting the Jolokia management API to load external configurations, often chaining with CVE-2024-32114 for unauthenticated access. This issue underscores ActiveMQ's history as a target for attackers, with previous RCEs like CVE-2016-3088 and CVE-2023-46604 appearing on CISA's KEV list. |
| 2026-04-07 2026 | Hackers exploit critical flaw in Ninja Forms WordPress pluginRCE | Writeup detailing CVE-2026-0740, a critical 9.8 severity vulnerability in Ninja Forms File Uploads for WordPress versions up to 3.3.26. The flaw allows unauthenticated arbitrary file uploads, including PHP scripts, through a lack of destination filename validation and supports path traversal, enabling remote code execution. The vulnerability was discovered by Sélim Lanouar and reported to Wordfence, who provided temporary firewall mitigations before the vendor released a full fix in version 3.3.27. |
| 2026-04-02 2026 | Hackers exploiting critical F5 BIG-IP flaw in attacks patch nowRCE | Advisory regarding CVE-2025-53521, a critical remote code execution flaw in F5 BIG-IP APM systems that attackers are actively exploiting to deploy webshells. This vulnerability, previously classified as denial-of-service, allows unprivileged attackers to achieve RCE when access policies are configured on a virtual server. F5 strongly recommends patching and reviewing systems for signs of compromise. CISA has added it to its list of actively exploited flaws, urging federal agencies to secure their BIG-IP APM deployments. |
| 2026-03-18 2026 | CISA orders feds to patch Zimbra XSS flaw exploited in attacksXSS | Writeup of CVE-2025-66376, a stored cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite's Classic UI. Exploitable via malicious HTML emails, this flaw allows remote unauthenticated attackers to execute arbitrary JavaScript, potentially hijacking sessions and stealing data. CISA mandated federal agencies patch this actively exploited flaw, which has seen prior exploitation of Zimbra vulnerabilities by groups like Winter Vivern. |
| 2026-02-20 2026 | Microsoft says bug causes Copilot to summarize confidential emailsAI | Advisory regarding a Microsoft 365 Copilot bug where confidential emails were summarized, bypassing data loss prevention policies. This issue, tracked under CW1226324 and detected January 21, affected the Copilot "work tab" chat feature, incorrectly processing emails in Sent Items and Drafts, even those with confidentiality labels. Microsoft confirmed a code error as the root cause and began rolling out a fix in early February, with remediation continuing for complex service environments. |
| 2026-02-04 2026 | CISA warns of five-year-old GitLab flaw exploited in attacksSSRF | Writeup on CVE-2021-39935, a GitLab SSRF vulnerability actively exploited by threat actors. CISA has ordered U.S. federal agencies to patch this five-year-old flaw, which allows unauthenticated external users to access the CI Lint API and perform server-side requests. This vulnerability impacts multiple GitLab versions prior to December 2021 updates and affects organizations using GitLab's DevSecOps platform. |
| 2025-10-21 2025 | CISA confirms hackers exploited Oracle E-Business Suite SSRF flawSSRF | Writeup of CVE-2025-61884, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in Oracle E-Business Suite, now confirmed by CISA as actively exploited. This flaw in the Oracle Configurator runtime component was leveraged in July attacks, with exploits leaked by ShinyHunters and potentially used by the Clop ransomware gang. Oracle has released patches and recommended federal agencies apply them by November 10, 2025, to mitigate unauthorized data access risks. |
| 2025-04-09 2025 | Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentialsSSRF | Library for detecting and mitigating Server-Side Request Forgery (SSRF) vulnerabilities that target EC2 Metadata. This resource highlights a campaign exploiting IMDSv1 to steal AWS IAM credentials, enabling privilege escalation and access to services like S3. It details attacker techniques, including rotating query parameters and subpaths, and emphasizes the importance of migrating to IMDSv2. The article also notes the broader trend of older CVEs, such as CVE-2017-9841 and CVE-2023-1389, remaining highly exploited. |
| 2024-11-04 2024 | Microsoft SharePoint RCE bug exploited to breach corporate networkRCE | Writeup detailing the exploitation of CVE-2024-38094, a Microsoft SharePoint RCE vulnerability, for initial network access. Attackers deployed a webshell, leveraged Horoung Antivirus to disable defenses, and used tools like Impacket, Mimikatz, FRP, everything.exe, Certify.exe, and kerbrute for lateral movement, credential harvesting, persistence, and network scanning. The exploit involved a batch script for antivirus installation and manipulation of system logging. |