Tag: vulnerability
659 articles

WordPress Discloses Core Flaw Enabling Unauthenticated Code Execution
WordPress has patched a critical flaw that allowed hackers to execute code remotely without authentication, releasing versions 6.9.5 and 7.0.2 to fix the vulnerability. The update addresses a REST API batch-route confusion and SQL injection issue that could be triggered by a simple HTTP request.

OpenSSL Flaw Exposes Servers to Memory Exhaustion Attacks
A newly discovered OpenSSL flaw, dubbed HollowByte, leaves unpatched servers vulnerable to memory exhaustion attacks, where a mere 11 bytes can trigger the allocation of up to 131 KB of memory for a message that never arrives. This tiny trigger can bring a server to its knees, freezing memory and blocking critical connections.

OpenSSL Servers Vulnerable to Memory-Bloating DDoS Attacks
Beware: a simple 11-byte malicious input can cripple OpenSSL servers with a devastating DDoS attack, leaving them permanently bloated and vulnerable. This sneaky exploit, dubbed HollowByte, takes advantage of a weakness in OpenSSL's TLS handshake to drain server resources.

AI Agents Vulnerable to Data Injection Attacks
Imagine a hidden vulnerability in AI agents that can be exploited with alarming ease - a new technique has proven to successfully corrupt AI data in nearly half of all attempts, leaving them open to data injection attacks. Researchers have discovered a way to deceive AI by manipulating the small, trusted facts it relies on, with surprisingly high success rates.

AI-Powered Tool Discovers Zero-Day in WordPress Plugin
Meet the AI-powered tool that just discovered a zero-day vulnerability in a popular WordPress plugin, and learn how its automated pipeline can detect and exploit weaknesses in code. This game-changing technology can extract sensitive data, like password hashes and secret tokens, from live databases.

Microsoft Faces New Zero-Day Exploit Disclosure Amid Ongoing Security Dispute
A security researcher has unveiled a proof-of-concept exploit, called LegacyHive, that targets a vulnerability in Windows User Profile Service, allowing for a potential elevation of privileges. This newly disclosed exploit requires just a standard user credential and a third username to launch.

Compromised AsyncAPI Packages Deliver Multi-Stage Botnet Malware
Malicious actors have compromised several AsyncAPI packages, delivering a sophisticated multi-stage botnet malware that uses a command framework with six independent communication channels. The affected packages include @asyncapi/generator-helpers, @asyncapi/generator-components, @asyncapi/generator, and @asyncapi/specs in specific versions.

Claude for Chrome Flaw Exposes Gmail, Google Docs to Rogue Extensions
A security flaw in Claude for Chrome could put your Gmail, Google Docs, and Calendar at risk of being accessed by rogue extensions, with researchers rating the vulnerability as high-severity. A simple script with just six lines of code can trick the extension into treating a fake click as a genuine user action.

Progress Confirms Zero-Day Flaw Behind ShareFile Shutdown
A critical zero-day flaw allowed hackers to access sensitive files, write malicious content, and map server files - prompting Progress Software to urgently shut down ShareFile Storage Zone Controller Windows servers to protect customer data. The emergency move came after a credible external security threat was flagged, temporarily disabling access to all affected ShareFile accounts.

Zimbra Warns of Stored XSS Flaw in Classic Web Client
Zimbra is urging customers to update their Classic Web Client immediately due to a critical vulnerability that could allow hackers to access sensitive mailbox information and execute malicious code via specially crafted emails. Installing the update, specifically upgrading to Zimbra Collaboration Suite version 10.1.19, will help protect against this threat.

AI Security Tools Expose Vulnerability to Cyber-Attacks
Researchers have uncovered a chilling vulnerability in AI-powered security tools, allowing hackers to remotely execute malicious code and wreak havoc on even the most secure systems. This shocking exploit, demonstrated through a proof-of-concept attack on popular AI coding agents, highlights a critical weakness that leaves defenses wide open.

Unpatched XQUIC Flaw Exposes HTTP/3 Servers to Remote Crashes
A single, tiny error - just 260 bytes of ordinary QPACK traffic - can take down an HTTP/3 server, thanks to a flaw in Alibaba's XQUIC library, dubbed XRING. This unpatched vulnerability can cause remote crashes without needing a login or malformed packets.

AI Coding Assistants Expose Flaw in Approval Process
Researchers have uncovered a shocking flaw, dubbed GhostApproval, that affects six major AI coding assistants, allowing malicious code to bypass approval prompts and wreak havoc on a developer's machine. This vulnerability can be exploited through a clever use of symbolic links, posing a significant risk to developers who rely on these tools.

Microsoft Fixes RoguePlanet Zero-Day Flaw in Defender Update
Microsoft has swiftly patched a high-risk zero-day flaw in Defender, known as RoguePlanet, that could have allowed hackers to gain SYSTEM privileges and take control of your device. This critical update fixes the vulnerability, CVE-2026-50656, and ensures your Defender is now better equipped to protect you from potential attacks.

AI Coding Assistants Exposed to Symlink Flaw
Researchers uncovered a major vulnerability, dubbed GhostApproval, that affects six popular AI coding assistants, allowing attackers to manipulate the code and write malicious data into sensitive files. This flaw uses a clever trick involving deceptively named files and symbolic links to catch AI assistants off guard.

AI Coding Agents Expose Unix-Era Security Flaw
A clever trick that exploits a long-standing Unix security flaw, dubbed GhostApproval, can bypass human approvals in AI coding assistants, rendering consent meaningless. By manipulating a harmless-looking project file, attackers can secretly alter sensitive system settings.

GitHub Copilot Exposes Vulnerability to Workflow-Level Jailbreak Attacks
GitHub Copilot has been found to be surprisingly vulnerable to workflow-level jailbreak attacks, with researchers discovering that it provided usable, yet harmful answers 100% of the time when given a cleverly crafted, multi-step coding task. This shocking exploit highlights a major weakness in the AI-powered coding assistant's safety protocols.

Linux Flaw Enables Root Control on Most Distros
A shocking 15-year-old flaw in the Linux kernel, dubbed GhostLock, allows any logged-in user to gain full root control of a machine in just five seconds - if it hasn't been patched. This vulnerability, which affects most Linux distributions, is a serious wake-up call for developers and users alike.

Writer AI Flaw Exposes Session Tokens Across Tenants
A critical flaw in Writer AI, dubbed WriteOut, could let an outsider hijack any account and take over an entire organization with just a single link - no login credentials required. This shocking vulnerability highlights the urgent need for robust security measures in AI-powered platforms.

GitHub Actions Expose Vulnerability in CI/CD Pipelines
A single misstep in a GitHub Actions workflow can become a four-step chain to permanent credential exposure, putting your entire CI/CD pipeline at risk. Researchers have uncovered a class of vulnerabilities, dubbed Cordyceps, that can be exploited in a surprisingly simple way.

Linux KVM Flaw Lets Guest VMs Escape to Host on Intel, AMD Systems
A newly discovered 16-year-old flaw in Linux's KVM, nicknamed "Januscape," allows guest virtual machines to break free and interact with their host systems on Intel and AMD machines, potentially leading to full host code execution. This vulnerability, tracked as CVE-2026-53359, can cause a host to panic and be exploited for malicious purposes.

Unpatched Argo CD Flaw Exposes Kubernetes Clusters to Takeover
A critical flaw in Argo CD's repo-server component has been left unpatched for 18 months, leaving Kubernetes clusters vulnerable to takeover by allowing unauthenticated access to sensitive functions. This gaping security hole enables attackers to execute malicious scripts and gain control of your cluster.

Microsoft Warns AI Agents Can Leak Data via Poisoned Tool Descriptions
A single line of plain text can unwittingly turn a helpful AI agent into a stealthy data thief, exposing sensitive information through a vulnerability in the Model Context Protocol (MCP). This fast-growing attack surface has Microsoft warning of a potentially disastrous trust boundary breach.

GuardFall Exposes AI Coding Agents to Shell Injection Risks
Researchers at Adversa AI have uncovered a shocking weakness, dubbed GuardFall, that lets advanced open-source coding agents slip past safety filters and execute destructive shell commands, exposing them to shell injection risks. This gap between text-based checks and shell execution leaves a trail of vulnerability wide open to exploitation.