Skip to main content

Tag: web application security

21 articles

Attackers Exploit Joomla Extension Bugs with Perfect 10 Scores

Attackers Exploit Joomla Extension Bugs with Perfect 10 Scores

Critical vulnerabilities in two popular Joomla extensions have been exploited in the wild, allowing attackers to gain remote control of affected sites by uploading malicious files. The Cybersecurity and Infrastructure Security Agency has sounded the alarm, adding the flaws to its Known Exploited Vulnerabilities catalog.

Analyst 207
Web server setup under attack in a bright office environment.

CISA Warns of Exploited Flaws in Joomla Extensions

Stay safe online: a critical vulnerability in the iCagenda extension for Joomla can allow attackers to upload malicious files and take control of your website, leading to data theft and total site compromise. CISA warns that this flaw, tracked as CVE-2026-48939, is being actively exploited, so take action now to protect your site.

Analyst 207
Joomla website backend on laptop with iCagenda extension file attachment feature.

Joomla Flaws Exploited as Zero-Days in Active Attacks

A critical vulnerability in the iCagenda extension for Joomla, known as CVE-2026-48939, has been exploited as a zero-day since June 15, 2026, allowing attackers to upload arbitrary files via the component's file attachment feature. This severe flaw, scoring 10.0 on the CVSS scale, has already sparked a wave of automated attacks against popular content-management-system extensions.

Analyst 207
Person sitting at a desk in a well-lit room, with a subtle hint of digital vulnerability.

WordPress Plugins Compromised to Deploy Hidden Backdoors

Over 1.2 million WordPress sites are potentially at risk after a security breach compromised three popular plugins, allowing hackers to secretly install backdoors and gain admin access. The sneaky attack injects malicious code that only kicks in when a logged-in administrator visits the site, putting unsuspecting site owners in the dark.

Analyst 207
Rows of rack-mounted servers with a network administrator in the background.

phpBB Flaw Enables Instant Account Takeover

A single HTTP request can give an attacker instant access to any user's account, including administrator accounts, without needing a password - a vulnerability rated 9.4 on the CVSS scale that's affecting phpBB versions up to 3.3.16 and 4.0.0 alpha.

Analyst 207
Developer scrutinizes code with concern in a well-lit lab setting.

GitHub Dev Attack Exploits OAuth Tokens

A single click can be all it takes for an attacker to swipe a GitHub token, giving them free rein to read and write to your private repos. Security researcher Ammar Askar warns that a clever exploit in GitHub.dev's web-based editor can turn a harmless link into a token-stealing threat.

Analyst 207
Laptop screen displays website homepage amidst papers and coffee cups in a busy workspace.

Ghost CMS SQL flaw fuels large-scale ClickFix attacks

Over 700 domains were hit in a massive cyberattack that exploited a critical vulnerability in Ghost CMS, putting sensitive data at risk. The flaw, tracked as CVE-2026-26980, allowed hackers to tap into site databases and steal admin API keys.

Analyst 207
A Drupal website's backend system on a minimalist desk with code on a laptop screen.

Drupal Core SQL Injection Flaw Actively Exploited

Drupal has confirmed that exploit attempts for a critical SQL injection flaw, CVE-2026-9082, are being actively detected in the wild, posing a significant risk of privilege escalation and remote code execution. This vulnerability affects all supported Drupal Core versions and can lead to full site compromise if not addressed promptly.

Analyst 207
Rows of computer servers and networking equipment in a server room or network operations center.

Drupal Sites Targeted in SQL Injection Attacks

Drupal sites are under attack as SQL injection exploits are now being detected in the wild, taking advantage of a vulnerability that can be triggered without authentication. This critical flaw, CVE-2026-9082, allows attackers to execute arbitrary SQL and potentially run remote code, putting sites that use PostgreSQL at risk.

Analyst 207
Rows of computer servers and storage devices in a brightly-lit server room with a single terminal in the foreground.

Drupal Flaw Exposes PostgreSQL Sites to Remote Code Execution Attacks

A vulnerability in Drupal Core's database abstraction API leaves PostgreSQL sites open to devastating SQL injection attacks, allowing hackers to send malicious requests and wreak havoc. This highly critical flaw, tracked as CVE-2026-9082, has been patched with urgent security updates.

Analyst 207
Laptop screen blurred, a software update is applied in a quiet, well-lit workspace.

Drupal Rushes Security Fix to Plug High-Risk Bug

Drupal is rushing out a critical security update today to fix a high-risk bug that could be exploited by hackers within hours of the patch being released. The update is a core security release aimed at plugging a vulnerability that poses a significant threat to users.

Analyst 207
Laptop screen displays warning message amidst office workspace.

Drupal Users Face Urgent Patch Deadline

Drupal users, take note: a highly critical core patch is coming and it's essential to act fast to secure your site. Get ready to install the update ASAP to avoid potential risks.

Analyst 207
Server racks and equipment in a brightly-lit data center with a single device prominently placed in the foreground.

NGINX Rift Attackers Exploit Exposed Servers Within Days of Disclosure

Malicious actors are already probing and exploiting a long-standing vulnerability in NGINX web server software, just days after its disclosure - highlighting the urgent need for organizations to update their systems and safeguard against cyber threats. This 18-year-old flaw has quickly become a prime target for attackers seeking unauthorized access to exposed servers.

Analyst 207
Web development workspace with laptop and coding materials on desk.

Avada Builder Flaws Expose WordPress Sites to Credential Theft

A critical vulnerability in the Avada Builder WordPress plugin, used by an estimated one million active installations, leaves sites exposed to credential theft and data breaches. Two flaws, CVE-2026-4782 and CVE-2026-4798, allow attackers to read sensitive files and extract database information, putting your site at risk.

Analyst 207
Server room with web server hardware exposed, conveying vulnerability.

NGINX Flaw Enables Unauthenticated Remote Code Execution

A critical 18-year-old vulnerability, known as NGINX Rift, has been discovered in NGINX Plus and NGINX Open Source, allowing unauthenticated attackers to remotely execute code with a single crafted HTTP request. This high-severity flaw, rated 9.2 on the CVSS v4 scale, poses a significant threat to vulnerable servers.

Analyst 207
Laptop screen shows Google search results with suspicious ManageWP ad amidst office or home workspace.

Hackers exploit Google ads for ManageWP phishing scam

Beware of a sneaky phishing scam targeting ManageWP users, where hackers use Google ads to trick victims into divulging their login credentials on a fake website that looks identical to the real one. This clever attack can put hundreds of sites at risk, since each ManageWP account typically hosts multiple sites.

Analyst 207
WordPress site administrator working on laptop in dimly lit server room.

WordPress Plugin Exposes 70,000 Sites to Backdoor Vulnerability

A shocking security vulnerability has been uncovered in a popular WordPress plugin, leaving over 70,000 sites open to backdoor attacks that can inject malicious code on demand. The issue was discovered in the Quick Page/Post Redirect plugin, which was infected with a hidden backdoor five years ago.

Analyst 207
Broken padlock hangs from laptop amidst shattered glass and cityscape of compromised websites.

WordPress Plugin Suite Compromised, Malware Deployed on Thousands of Sites

Thousands of websites have been unwittingly turned into malware gateways due to a massive compromise of over 30 WordPress plugins in the EssentialPlugin package, highlighting a disturbing vulnerability in the internet ecosystem. This security breach has left countless sites exposed, raising urgent questions about accountability and prevention.

Analyst 207
Dark cityscape with giant cracked screen, lone figure in hoodie surrounded by eerie glows, using distorted laptop interface.

Nginx-ui Flaw Exploited in Active Attacks Worldwide

A critical flaw in the nginx-ui MCP component, tracked as CVE-2026-33032, is being actively exploited worldwide, allowing attackers to bypass authentication and slip past one of the most basic protections. This highly severe vulnerability, rated 9.8 on the CVSS scale, poses an immediate dilemma for organizations that depend on this component.

Analyst 207
Shadowy ninja figure looms over broken laptop and scattered code printouts against a cityscape backdrop.

Ninja Forms Flaw Exposes WordPress Sites to Code Execution Risk

A critical vulnerability in the popular Ninja Forms plugin has been discovered, allowing hackers to upload and execute malicious code on WordPress sites without needing login credentials. If you're using Ninja Forms, update to version 3.3.27 immediately to protect your site from remote code execution attacks.

Analyst 207
Laptop screen displays small, hidden SVG padlock image amidst code, with blurred phone and scattered credit cards nearby.

Hackers Conceal Credit Card Stealer in Tiny SVG Images

One tiny pixel can cause massive damage: hackers have successfully hidden credit card-stealing code inside a nearly invisible, one-pixel Scalable Vector Graphics (SVG) image, putting almost 100 Magento-based online stores at risk. This sneaky tactic allowed the malicious code to blend in with normal site assets, evading detection.

Analyst 207