cyberinsider.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-07-18.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-07-18 2026 | WordPress releases emergency update for critical 'wp2shell' RCE flawRCE | WordPress has issued an emergency update to address a critical Remote Code Execution (RCE) vulnerability, dubbed 'wp2shell'. This flaw allows attackers to execute arbitrary code on affected WordPress sites. Users are strongly advised to update their WordPress installations immediately to patch this security risk. No payout amount for reporting this vulnerability was mentioned in the provided content. |
| 2026-06-28 2026 | Polymarket suffers supply chain attack leading to $3 million crypto theftSupply Chain | Writeup of Polymarket's supply chain attack, where a compromised third-party vendor injected malicious code into the platform's frontend. This incident led to approximately $3 million in cryptocurrency theft from users via a phishing campaign, with affected funds bridged from Polygon to Ethereum. Blockchain security firms PeckShield and Bubblemaps investigated, identifying fewer than 15 affected accounts and tracking the stolen ETH. Users are advised to monitor wallet activity and revoke token approvals. |
| 2026-06-22 2026 | FFmpeg PixelSmash bug triggers code execution on media file openRCE | Library for FFmpeg's CVE-2026-8461, "PixelSmash," a critical heap out-of-bounds write vulnerability in the MagicYUV decoder. This flaw allows remote code execution through specially crafted media files like AVI, MKV, or MOV, impacting numerous downstream applications including Kodi, OBS Studio, Jellyfin, and Nextcloud. Exploitation involves overwriting function pointers within FFmpeg's heap structures, enabling arbitrary command execution. The vulnerability was patched in FFmpeg 8.1.2. |
| 2026-06-17 2026 | Supply-chain attack injects backdoor on ShapedPlugin WordPress softwareSupply Chain | Library for detecting and mitigating supply-chain attacks like CVE-2026-10735 affecting ShapedPlugin's premium WordPress software. This attack involved injecting backdoors through legitimate update channels, leading to credential theft, 2FA secret exfiltration, and the deployment of tools like Tiny File Manager and Adminer. The incident highlights risks associated with compromised build pipelines and vendor update systems, impacting plugins such as Real Testimonials Pro, Product Slider Pro, and Smart Post Pro. |
| 2026-05-25 2026 | Drupal warns of active exploitation attempts targeting critical SQL injection flawSQLi | Analysis of CVE-2026-9082, a critical SQL injection vulnerability affecting Drupal sites using PostgreSQL, details active exploitation attempts observed by Imperva. This flaw in Drupal's database abstraction API allows unauthenticated attackers to execute arbitrary SQL, leading to potential information disclosure, privilege escalation, and remote code execution. CISA has added it to the KEV catalog, and agencies must secure systems by May 27. Patches are available for supported Drupal versions, and immediate updates are advised. |
| 2026-05-15 2026 | OpenAI confirms exposure in recent Shai-Hulud supply-chain attackSupply Chain | Writeup of the Mini Shai-Hulud supply-chain attack impacting OpenAI, which involved compromised npm packages from TanStack and exposed limited internal credentials and code-signing certificates. The incident led OpenAI to rotate signing keys for its desktop applications and prompted macOS users to update software by June 12, 2026, to avoid disruptions. The attack leveraged techniques like cache poisoning and OpenID Connect token extraction to compromise repositories and harvest secrets. |