techtimes.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-23.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-23 2026 | AI Patching Reaches Open Source: OpenAI Patch the Planet Targets Python cURL GoPython | Library for AI-driven vulnerability discovery and patching, Patch the Planet, leverages GPT-5.5-Cyber and Trail of Bits security engineers to identify, validate, and fix issues in open-source projects like cURL, Go, and Python. This initiative addresses the overwhelming influx of AI-generated bug reports by adding a human-review layer for validation and patch development, thereby improving security posture without burdening limited maintainer resources. The project also generates reusable security infrastructure, including fuzzing harnesses and analysis pipelines, benefiting participating open-source communities. |
| 2026-06-21 2026 | WordPress Email Plugin Flaw Triggers 17 Million Attacks: Gravity SMTP Leaks Live API KeysAPI Sec | Library for WordPress email plugins, specifically addressing CVE-2026-4020 in Gravity SMTP, which allowed unauthenticated retrieval of sensitive configuration data including live API keys for services like Amazon SES, Google, Mailjet, Resend, and Zoho. This vulnerability, despite its medium severity rating, led to over 17 million exploit attempts, exposing credentials and site software versions to attackers for potential further exploitation. |
| 2026-06-21 2026 | npm Supply Chain Attack: North Korea Backdoored 144 AI Packages in 88 MinutesSupply Chain | Library for detecting and mitigating npm supply chain attacks, as demonstrated by North Korea's Sapphire Sleet group. The attack compromised 144 @mastra AI packages by exploiting dormant account permissions and npm's semantic versioning to inject a malicious easy-day-js package with a postinstall hook. This hook deployed a cross-platform RAT to steal LLM API keys, cloud credentials, and cryptocurrency wallets, bypassing traditional CVE-based scanners. Detection and mitigation strategies include behavioral supply-chain monitoring, with tools like Socket and StepSecurity's Harden Runner offering protection. |
| 2026-06-19 2026 | NGINX Vulnerability Patch: F5 Fixes Critical HTTP/3 and HTTP/2 Remote Code Execution FlawsRCE | Patch addressing critical NGINX vulnerabilities CVE-2026-42530 (HTTP/3 use-after-free) and CVE-2026-42055 (HTTP/2 heap buffer overflow). These flaws, with CVSS v4.0 scores of 9.2, allow unauthenticated remote attackers to crash NGINX worker processes and potentially achieve arbitrary code execution, particularly on systems with weakened ASLR. F5 has released fixes for NGINX Open Source, NGINX Plus, and NGINX Gateway Fabric, with temporary mitigations available for those unable to patch immediately. |
| 2026-06-16 2026 | Oracle PeopleSoft Zero-Day Exploited in 100 Breaches: Council of Europe Deadline Falls TodaySSRF | Writeup on CVE-2026-35273, a critical SSRF vulnerability in Oracle PeopleSoft's PSEMHUB component. This zero-day, exploited by ShinyHunters via a gadget chain, allows unauthenticated remote code execution and has affected over 100 organizations, including higher education and government bodies. Affected versions include PeopleTools 8.61 and 8.62. Mitigation involves disabling the Environment Management Hub or removing PSEMHUB, with Oracle urging immediate action as no patch is yet available. |
| 2026-06-14 2026 | AI Agent Security Hits Its Reckoning: Prompt Injection May Be a Permanent Flaw Not a Patchable BugAI | Library on prompt injection detailing its architectural inevitability within LLMs, comparing it to conventional software's privilege boundaries. It discusses the "lethal trifecta" (private data access, untrusted content exposure, external communication ability) and Meta's "Agents Rule of Two" heuristic, alongside entry points like indirect injection via poisoned content. The entry lists CVE-2026-2256 (ModelScope's MS-Agent command injection), CVE-2026-22708 (Cursor environment variable poisoning), CVE-2025-59532 (OpenAI Codex CLI sandbox escape), and supply chain vulnerabilities like CVE-2025-6514 (mcp-remote proxy RCE). |
| 2026-06-10 2026 | ServiceNow Data Breach: Gated Advisory Left Customers Unaware of Exploited Zero-Auth APIAPI Sec | Writeup detailing a ServiceNow zero-authentication API vulnerability, where attackers queried sensitive customer instance data through an unauthenticated Scripted REST Resource (specifically `/api/now/related_list_edit/create`) between June 2-5, 2026. This marks the third unauthenticated exploit against ServiceNow in eight months, following CVE-2025-12420 and CVE-2026-0542. The vendor's gated advisory, accessible only via login, drew criticism for failing to adhere to coordinated disclosure norms and leaving many customers unaware of the breach, hindering their incident response and regulatory notification efforts. |
| 2026-06-04 2026 | Cisco Unified CM SSRF Flaw CVE-2026-20230: Public Exploit Code Opens Path to RootSSRF | Tool analysis of CVE-2026-20230, a critical Server-Side Request Forgery vulnerability in Cisco Unified Communications Manager's WebDialer Web Service. This flaw, CWE-918, allows arbitrary file writes and privilege escalation to root without authentication, with public exploit code now available. Mitigation involves disabling the WebDialer service or upgrading to patched versions (14SU6 or interim COP for 15SU5). |
| 2026-05-31 2026 | Anthropic AI Vulnerability Scanner in Enterprise Beta: IBM Joins Glasswing After 10000 Flaws FoundAPI Sec | Tool for AI-powered application security scanning, Claude Security, now in public beta for enterprise customers, identifies vulnerabilities by reasoning over code behavior and data flows, moving beyond traditional signature matching. This approach has surfaced over 10,000 critical software flaws through Anthropic's Project Glasswing consortium, which includes IBM, and has also revealed specific vulnerabilities like CVE-2026-5194 in wolfSSL. The tool aims to compress the find-fix cycle, though patching remains a bottleneck for maintainers. |
| 2026-05-26 2026 | llama.cpp GGUF Parser Flaws: Critical Integer Overflow Enables Arbitrary Reads in Every Local AI StackPython | Library of six vulnerabilities found in llama.cpp's GGUF parser, including a critical integer overflow (V-01) allowing arbitrary file reads and memory exhaustion flaws (V-02, V-03) affecting tools like Ollama and LM Studio. These issues, including V-01 and V-02, are present in the C++ gguf.cpp and Python gguf_reader.py implementations, and unlike CVE-2026-7482 (Bleeding Llama), do not have assigned CVE numbers, bypassing standard scanning workflows. |
| 2026-05-26 2026 | Chrome Security Update Patches Two Critical RCE Flaws: One Exploit Still Public UnpatchedRCE | Library for detecting and mitigating browser-based threats, including two critical RCE flaws patched in Chrome (CVE-2026-9111, CVE-2026-9110). It also addresses the publicly disclosed, unpatched Browser Fetch API vulnerability, which enables persistent background connections and potential botnet enrollment across Chromium-based browsers like Edge and Brave, requiring manual updates or enterprise patch management for protection. |
| 2026-05-25 2026 | Ghost CMS SQL Injection Hits 700 Sites: Harvard DuckDuckGo Serve Fake Cloudflare MalwareSQLi | Library for detecting and remediating CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS versions 3.24.0 through 6.19.0. This flaw allows unauthenticated attackers to steal Admin API Keys, enabling them to inject malicious JavaScript into published articles. The compromised sites are then used to serve fake Cloudflare verification pages, tricking visitors into executing PowerShell scripts that download stealer trojans and other malware. The exploitation targets the Content API's slug-filter-order.js serializer and has impacted hundreds of websites, including those of Harvard University and DuckDuckGo. |