HOT NEWS 2026 JUNE   January(174) February(168) March(221) April(222) May(261) June(255) July(0) August(0) September(0) October(0) November(0) December(0) | HOT NEWS 2026  HOT NEWS  2025  HOT NEWS 2024 

DATE

NAME

INFO

CATEGORY

SUBCATE

30.6.26 Mind your key: An Empirical Study of LLM API Credential
Leakage in iOS Apps
The rapid integration of large language models (LLMs) into mobileapplications has introduced a new class of credential security risk: leaked credentials that grant unauthorized access to LLM inference services, which can cause financial damage to the developer side. Prior work has studied credential leakage across various platforms, with a primary focus on Android Apps. However, to date, no empirical study has systematically investigated how LLM API key leakageoccurs in iOS applications. PAPERS PAPERS
30.6.26 LM-Scout: Analyzing the Security of Language
Model Integration in Android Apps
Developers are increasingly integrating Language Models (LMs) into their mobile apps to provide features such as chat-based assistants. To prevent LM misuse, they impose various restrictions, including limits on the number of queries, input length, and allowed topics. However, if the LM integration is insecure, attackers can bypass these restrictions and gain unrestricted access to the LM, potentially harming developers’ reputations and leading to significant financial losses. PAPERS PAPERS
30.6.26 Leaky Apps: Large-scale Analysis of Secrets Distributed inAndroid and iOS Apps Mobile apps store various types of secrets to support their func-tionalities. These include API keys, and cryptographic material toauthenticate users and access backend services. Once distributed,attackers can reverse-engineer the apps, and these secrets becomeaccessible, posing risks such as data leaks, and service abuse PAPERS PAPERS
30.6.26 On the (In)Security of LLM App Stores LLM app stores have seen rapid growth, leading tothe proliferation of numerous custom LLM apps. However, this expansion raises security concerns. In this study, we propose a three-layer concern framework to identify the potential security risks of LLM apps, i.e., LLM apps with abusive potential, LLM apps with malicious intent, and LLM apps with exploitable vulnerabilities. PAPERS PAPERS
30.6.26 Silent Swap Silent Swap: A Crypto Clipper Extension Campaign MALWARE CRYPTO CLIPPER
30.6.26 GuardFall GuardFall: a universal shell injection vulnerability in open-source AI agents HACKING AI
30.6.26 CVE-2026-33017 Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. VULNEREBILITY VULNEREBILITY
30.6.26 TaskWeaver is a heavily obfuscated Node.js loader, delivered as jquery.js and executed through node.exe, that implements an encrypted, reusable payload delivery channel rather than a fixed set of post exploitation commands. MALWARE JAVASCRIPT
30.6.26 Djinn Stealer The observed second stage payload, Djinn Stealer, targets Windows, macOS, and Linux systems. MALWARE STEALER
30.6.26 CVE-2026-48558 SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. VULNEREBILITY VULNEREBILITY
30.6.26 Protocol Prying: Systematic Vulnerability Research in the Apple AirDrop and Android Quick Share Proximity Transfer Protocols Apple AirDrop and Google/Samsung Quick Share are proximity file-transfer protocols used by over five billion devices, yet their application-layer security properties remain largelyunstudied because both stacks are proprietary and undocumented PAPERS PAPERS
30.6.26 BioShocking AI BioShocking AI: “Gaming” the AI Browser and Escaping its Guardrails HACKING AI
30.6.26 CVE-2026-43715 A use-after-free issue that could result in memory corruption when processing maliciously crafted web content. It was addressed with improved memory management. VULNEREBILITY VULNEREBILITY
30.6.26 CVE-2026-43745 An out-of-bounds write issue that could result in an unexpected Safari crash when processing maliciously crafted web content. It was addressed with improved input validation. VULNEREBILITY VULNEREBILITY
30.6.26 CVE-2026-43716 An unspecified issue that could result in an unexpected Safari crash when processing maliciously crafted web content. It was addressed with improved memory handling. VULNEREBILITY VULNEREBILITY
30.6.26 CVE-2026-43707 A memory corruption issue that could result in an unexpected process crash when processing maliciously crafted web content. It was addressed with improved memory handling. VULNEREBILITY VULNEREBILITY
30.6.26 CVE-2026-8037 OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints VULNEREBILITY VULNEREBILITY
30.6.26 CVE-2026-48558 SimpleHelp Authentication Bypass Vulnerability VULNEREBILITY VULNEREBILITY
30.6.26 CVE-2026-46817 Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. VULNEREBILITY VULNEREBILITY
29.6.26 DCloud Uni-App From San Pedro to Salinas: How a Chinese Framework “DCloud Uni-App” Powers a Global Scam Economy SPAM FRAMEWORK
29.6.26 Mustang Panda Mustang Panda targets India's government and energy sectors with ZOHOMURK and MINIRECON APT APT
29.6.26 Gamaredon in 2025 Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances APT APT
29.6.26 DCRAT malware delivered in Operation DragonReturn Operation DragonReturn is a sophisticated, ongoing cyber espionage campaign linked to Chinese-nexus threat actors, designed to compromise India's public and private tax infrastructure. First detected in mid-May 2026 and remaining highly active through June, the operation strategically exploits the AY2026-27 tax-filing season ALERTS VIRUS
29.6.26 StealC and Amadey Infostealer Infrastructure Targeted in Global Takedown Microsoft Threat Intelligence has published a report on the cybercrime infrastructure powering the StealC information stealer and Amadey loader families, detailing a coordinated global disruption of over 200 command-and-control domains.  ALERTS VIRUS
29.6.26 Gaslight - a Rust-based macOS implant SentinelLABS recently identified Gaslight, a novel Rust-based malware implant attributed to North Korean state-sponsored hackers. Discovered in early June and targeting the ARM64 architecture, this malware's most distinctive characteristic is its innovative evasion strategy: it embeds a 3.5 KB prompt-injection payload comprising thirty-eight fabricated system messages. ALERTS VIRUS
29.6.26 Nirsoft tool abused by ransomware actors Nirsoft tools are free, lightweight, and portable Windows utilities created by Nir Sofer developers. Their applications are primarily used for password recovery, network monitoring, system troubleshooting, digital forensics and so on. ALERTS RANSOM
29.6.26 Langflow CVE-2026-33017 vulnerability exploited in campaign delivering cryptominers A newly observed cryptocurrency mining campaign exploits CVE-2026-33017, an unauthorized code execution flaw in Langflow. As reported by researchers from Trend Micro, the attack initiates when an arbitrary Python code executed through an open Langflow API endpoint downloads a malicious shell script.  ALERTS VULNEREBILITY
29.6.26 AMOS (Atomic macOS Stealer) malware deployed in latest ClickFix campaign targeting macOS users A recent macOS ClickFix campaign utilizes fraudulent CAPTCHA prompts to distribute the Atomic macOS Stealer (AMOS) malware. As reported by researchers from Unit 42, this distribution technique deceives victims into pasting a malicious command directly into their system’s Terminal. ALERTS VIRUS
29.6.26 Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker A relatively new backdoor that we have called Backdoor.Mistic has been deployed in multiple attacks since April 2026. The backdoor was first documented by Zscaler (which tracks it as MLTBackdoor) earlier this month. Mistic may be linked to the financially motivated initial access broker (IAB) tracked publicly as KongTuke (which we track as Woodgnat) and it was used in one intrusion that also involved the group's ModeloRAT remote access trojan. ALERTS VIRUS
29.6.26 Blue Gryphus RAT Emerges in Latin America with Banking Fraud Capabilities A sophisticated new threat, the Blue Gryphus RAT, has emerged in Latin America, primarily targeting users in Colombia. A report by SCILabs details this .NET-based Remote Access Trojan which acts as a modular banking threat. Reportedly distributed via phishing emails disguised as legal or Windows updates, it deploys droppers that establish persistence, evade Windows Defender, and bypass User Account Control. ALERTS VIRUS
29.6.26 Fake Invoices on WhatsApp Deliver VBScript Malware That Hijacks Systems with RMM A recently observed campaign leveraged compromised WhatsApp accounts to deliver malicious VBScript files. The scripts, disguised as routine financial statements or invoices, trigger a multi-stage infection chain once opened. The malware actively modifies Windows User Account Control settings to increase evasion, facilitating the download and execution of additional payloads.  ALERTS VIRUS
29.6.26 Recent operations of the INC ransomware As reported by the researchers from Acronis, INC ransomware variant has risen to prominence as one of the leading RaaS operations, claiming over 800 targets since 2023. The threat actors have transitioned both its Windows and Linux encryptors to the Rust language. They also updated their toolkit, notably developing a credential harvester targeting Veeam backup deployments. I ALERTS RANSOM
29.6.26 Prinz Eugen ransomware variant Prinz Eugen is a new Go-based ransomware variant recently discovered by the researchers from Malwarebytes. The encryptor employs ChaCha20-Poly1305 encryption with built-in integrity verification, prioritizes recently modified data, and executes unrestricted recursive folder searches, all while leaving no ransom note behind.  ALERTS RANSOM
29.6.26 Inside the Gentlemen RaaS Evasion Ecosystem ESET Research has published a detailed investigation into the Gentlemen ransomware-as-a-service (RaaS) gang and its advanced endpoint detection and response (EDR) killer ecosystem. Emerging as a highly active threat in late 2025, Gentlemen stands out by directly providing its affiliates with a standardized, operator-maintained suite of evasion tools rather than requiring them to source their own. ALERTS RANSOM
29.6.26 StegoAd Inside StegoAd: How We Disrupted a Massive Malicious Extension Campaign CAMPAIGN CAMPAIGN
29.6.26 Bluekit Phishing-as-a-Service Bluekit Phishing-as-a-Service: Browser-in-the-Middle, Evolved PHISHING Phishing-as-a-Service
29.6.26 Payouts King Ransomware Payouts King Ransomware Initial Access Broker Deploys New Edgecution Malware RANSOM RANSOM
29.6.26 MLTBackdoor In May 2026, Zscaler ThreatLabz identified a new malware family that we track as MLTBackdoor that is likely leveraged by a ransomware-related threat actor. MLTBackdoor has been observed by ThreatLabz being delivered in a multi-stage ClickFix infection chain. MALWARE BACKDOOR
29.6.26 Klue Supply Chain Incident & LastPass Response We want to inform our customers of a security incident which recently occurred at one of our third-party suppliers and how that incident impacts LastPass and our customers. INCIDENT INCIDENT
29.6.26 CVE-2026-8461 An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be exploited for remote code execution. This vulnerability is associated with the file libavcodec/magicyuv.C. This issue affects FFmpeg before version 8.1.2. VULNEREBILITY VULNEREBILITY
29.6.26 AutoJack AutoJack: How a single page can RCE the host running your AI agent AI AI
29.6.26 CVE-2026-55200 libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution. VULNEREBILITY VULNEREBILITY
27.6.26 Photo ZIP campaign Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access CAMPAIGN CAMPAIGN
27.6.26 CVE-2026-43503 In the Linux kernel, the following vulnerability has been resolved: net: skbuff: propagate shared-frag marker through frag-transfer helpers Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags when moving frags from source to destination. VULNEREBILITY VULNEREBILITY
27.6.26 CVE-2026-12957 Improper trust boundary enforcement in Language Servers for AWS before version 1.65.0 on all supported platforms may allow a for arbitrary code execution. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. VULNEREBILITY VULNEREBILITY
27.6.26 CVE-2026-46331 In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. VULNEREBILITY VULNEREBILITY
27.6.26 StrikeShark StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader MALWARE LOADER
27.6.26 CVE-2026-12569 A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030 VULNEREBILITY VULNEREBILITY
27.6.26 Operation DragonReturn Authors: Dixit Panchal & Soumen Burma Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Initial Mail: Email Attachment: Lure: Official GoI, Income Tax Document: Technical Analysis: Infrastructural Artefacts & Threat actor Attributions. Campaign Timeline. Conclusion:... OPERATION OPERATION
25.6.26 macOS.Gaslight macOS.Gaslight | Rust Backdoor Turns Prompt Injection on the Analyst, Not the Sandbox MALWARE MAC OS
25.6.26 Backdoor.Mistic Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker MALWARE BACKDOOR
25.6.26 CVE-2026-20245 A vulnerability in the CLI of Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. VULNEREBILITY VULNEREBILITY
24.6.26 CVE-2025-67038 Lantronix EDS5000 Code Injection Vulnerability VULNEREBILITY VULNEREBILITY
24.6.26 CVE-2026-34908 Ubiquiti UniFi OS Improper Access Control Vulnerability VULNEREBILITY VULNEREBILITY
24.6.26 CVE-2026-34909 Ubiquiti UniFi OS Path Traversal Vulnerability VULNEREBILITY VULNEREBILITY
24.6.26 CVE-2026-34910 Ubiquiti UniFi OS Improper Input Validation Vulnerability VULNEREBILITY VULNEREBILITY
24.6.26 Dismantling FortiBleed Inside a Russian Fortinet compromise operation. OPERATION OPERATION
23.6.26 Multiple file parsing vulnerabilities in FastStone Image Viewer 8.3.0.0 Two vulnerabilities have been identified in FastStone Image Viewer 8.3 that may allow remote code execution or control-flow corruption when processing specially crafted image files. ALERT ALERT
23.6.26 Microsoft WinRE allows for bypass of UEFI/BIOS password enforcement Microsoft Windows Recovery Environment (WinRE) provides a mechanism for recovering and repairing Windows systems using an alternate boot environment. Under certain platform implementations, access to WinRE may allow an attacker to bypass firmware security controls, including administrator-configured UEFI/BIOS passwords. ALERT ALERT
23.6.26 CVE-2024-40766 An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. VULNEREBILITY VULNEREBILITY
23.6.26 CVE-2026-41947 (CVSS score: 9.1) - An authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. VULNEREBILITY VULNEREBILITY
23.6.26 CVE-2026-41948 (CVSS score: 9.4) - A path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization and access internal, private endpoints. VULNEREBILITY VULNEREBILITY
23.6.26 CVE-2026-41949 (CVSS score: 7.5/5.9) - An authorization bypass vulnerability in the file preview endpoint ("/console/api/files/{file_id}/preview") that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. VULNEREBILITY VULNEREBILITY
23.6.26 CVE-2026-41950 (CVSS score: 6.5) - An authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. VULNEREBILITY VULNEREBILITY
22.6.26 Squidbleed (CVE-2026-47729) Meet Squidbleed: a Heartbleed-style vulnerability that leaks internal memory from every version of Squid Proxy, in its default configuration. PAPERS PAPERS
22.6.26 CVE-2026-50012 Debian Linux - squid - None Ubuntu Linux - Heap-based Buffer Overflow attack against cache digests VULNEREBILITY VULNEREBILITY
22.6.26 Squidbleed Debian Linux - squid - None Ubuntu Linux - Out-of-bounds Read attack against the FTP gateway VULNEREBILITY VULNEREBILITY
22.6.26 CASTLESTEALER Lost in relocation: analysis of a new loader distributing CASTLESTEALER MALWARE STEALER
22.6.26 Inside the Gentlemen RaaS Evasion Ecosystem ESET Research has published a detailed investigation into the Gentlemen ransomware-as-a-service (RaaS) gang and its advanced endpoint detection and response (EDR) killer ecosystem. Emerging as a highly active threat in late 2025, Gentlemen stands out by directly providing its affiliates with a standardized, operator-maintained suite of evasion tools rather than requiring them to source their own. ALERTS RANSOM
22.6.26 SheetCreep RAT delivered in recently discovered espionage operation Securonix has uncovered SheetCreep, an active espionage operation employing diplomatic-themed ISO lures to distribute a C# remote access trojan (RAT). The recently observed campaign initiates via a malicious LNK file masquerading as a UAE-India strategic partnership document, primarily targeting Indian foreign relations personnel. ALERTS VIRUS
22.6.26 CVE-2026-34908 - UniFi OS Auth Bypass Vulnerability CVE-2026-34908 is a recently disclosed critical (CVSS score 10) Improper Access Control vulnerability affecting Ubiquiti UniFi OS devices. If successfully exploited the flaw might allow malicious actors with network access to make unauthorized changes to the vulnerable system. ALERTS VULNEREBILITY
22.6.26 CVE-2026-54420 - LiteSpeed cPanel Plugin vulnerability CVE-2026-54420 is a recently disclosed high-severity (CVSS score 8.5) UNIX Symbolic Link (Symlink) following vulnerability affecting LiteSpeed cPanel plugin (all versions before 2.4.8, as distributed in LiteSpeed WHM Plugin before 5.3.2.0). If successfully exploited the flaw might allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS. This vulnerability has already been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog following the reports of the in-the-wild exploitation. ALERTS VULNEREBILITY
22.6.26 Rokarolla Android Banking Malware Researchers at Zimperium have shared details about an Android banking trojan dubbed Rokarolla which targets over 200 cryptocurrency and financial applications. The malware spreads via deceptive websites masquerading as legitimate applications like Google Chrome. ALERTS VIRUS
22.6.26 Hidden in Teams: DragonForce Attackers Weaponize Microsoft Teams Relays to Stay Hidden Attackers deploying the DragonForce ransomware against a major U.S. services firm hid their command and-control traffic (C&C) inside Microsoft Teams’ own relay infrastructure, using a custom Go-based backdoor that Symantec is tracking as Backdoor.Turn. To network defenders, the only traffic they could see was outbound connections to legitimate Microsoft Teams servers. The attackers were on the victim network for between one and two months. ALERTS APT
22.6.26 Fake Software Tutorials Push Stealer from TikTok and Instagram According to ReversingLabs, threat actors are using TikTok and Instagram Reels to distribute phishing-style tutorials that promote free access to premium software. The actors use short videos, copied account templates, Windows-themed branding, and engagement tactics such as saves, shares, and comment prompts to increase reach. ALERTS VIRUS
22.6.26 10FXRAT Campaign Targets Organizations in Japan According to LAC, organizations in Japan were targeted in April 2026 by spear-phishing attacks that deployed PXDropper, PoisonX, and 10FXRAT – The latter is a modular remote access trojan that supports system reconnaissance, command execution, SOCKS5 tunneling, plugin loading, and additional theft-oriented capabilities. ALERTS VIRUS
22.6.26 OnyxC2 Stealer In a recent write-up, BlackFog details OnyxC2, a malware-as-a-service infostealer advertised on cybercrime forums and packaged with multiple subscription tiers. The malware is designed to collect credentials, cookies, autofill data, wallet material, and other sensitive information from more than 210 applications and browser extensions. ALERTS VIRUS
22.6.26 SilabRAT malware First emerging on dark web marketplaces in late 2025, SilabRAT (commercially branded as SnappyClient) is an advanced Remote Access Trojan operated under the Malware-as-a-Service umbrella. Group-IB analysts have reported that cybercriminals have been deploying this malware through email spam and ClickFix schemes. ALERTS VIRUS
22.6.26 BlueRabbit - a new Golang-based backdoor with ransomware capabilities BlueRabbit is a sophisticated, Go-based backdoor variant believed to be operated by an Iranian cyber espionage group. As reported by analysts from Binary Defense, the malware routes command operations through RabbitMQ open-source message broker, tracks victim states with Redis, and steals sensitive data using S3-compatible MinIO channel transfers. ALERTS VIRUS
22.6.26 HarborWatch Agent Delivered Through ClickFix Social Engineering According to Cofense, an Amazon-themed phishing campaign has been used to deliver HarborWatch Agent, a custom monitoring RAT. The campaign targets email users in organizations, with no specific sector or region identified in the published analysis. Recipients are sent a fake account security alert that leads to a lookalike verification page using ClickFix-style instructions. ALERTS VIRUS
22.6.26 AryStinger More Than 4,000 Legacy Routers Compromised by AryStinger, Turned into Global Attack Proxies for Hackers BOTNET BOTNET
21.6.26 Prinz Eugen ransomware Prinz Eugen ransomware: a deep dive into a new Go-based encryptor RANSOM RANSOM
21.6.26 CVE-2026-11311 When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the AuthenticationFilter Custom Resource Definition extraAuthArgs field are rendered directly into NGINX configuration templates without sanitization or escaping.

VULNEREBILITY

VULNEREBILITY

21.6.26 CVE-2026-50107 When NGINX Plus or NGINX Open Source is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition (CRD) access log format setting are rendered directly into NGINX configuration templates without sanitization or escaping.

VULNEREBILITY

VULNEREBILITY

21.6.26 SearchLeak SearchLeak: How We Turned M365 Copilot Into a One-Click Data Exfiltration Weapon HACKING M365 COPILOT
21.6.26 CVE-2026-48172 LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability.

VULNEREBILITY

VULNEREBILITY

21.6.26 CVE-2026-48558 SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature.

VULNEREBILITY

VULNEREBILITY

21.6.26 Vendor-signed UEFI applications found vulnerable to Secure Boot bypass Multiple vendor-signed UEFI applications are vulnerable to Secure Boot bypass via a "Bring Your Own Vulnerable Driver" (BYOVD)-style attack. If a target system trusts the affected vendor’s certificate, an attacker can exploit these applications to execute arbitrary code during the early pre-boot phase before the operating system initializes. ALERT ALERT
21.6.26 SignalRGB kernel driver contains improper access control and IOCTL vulnerabilities The SignalRGB kernel driver, SignalIo.sys, contains two vulnerabilities involving improper access control and unsafe memory handling. The device object is created with an overly permissive Discretionary Access Control List (DACL) that allows user-mode processes to access privileged hardware operations through input/output control (IOCTL) commands. ALERT ALERT
20.6.26 PoisonX BYOVD Driver Bypasses CrowdStrike EDR Microsoft-signed kernel driver used in a BYOVD attack to kill CrowdStrike Falcon. Learn how the driver’s hidden IOCTL enables process termination from kernel mode and why modern EDR solutions can be bypassed. EXPLOIT EXPLOIT
20.6.26 Bomgar RMM Exploitation Threat Advisory: Uptick in Bomgar RMM Exploitation EXPLOIT EXPLOIT
20.6.26 Introducing usbliter8 An A12/A13 SecureROM exploit PAPERS PAPERS
20.6.26 usbliter8 An A12/A13 SecureROM exploit EXPLOIT EXPLOIT
20.6.26 CVE-2026-4020 The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it.

VULNEREBILITY

VULNEREBILITY

20.6.26 AutoJack AutoJack: How a single page can RCE the host running your AI agent ATTACK AI
20.6.26 Operation FanTrap Operation FanTrap reveals FIFA 2026 fraud ecosystem with 4,000+ fake domains, phishing, streaming scams, and dark web-driven cybercrime activity. OPERATION OPERATION
19.6.26 FortiBleed FortiBleed: 75,000 Fortinet Firewalls Compromised: Global Enterprises Exposed – Claim Your Ethical Disclosure CAMPAIGN CAMPAIGN
19.6.26 CVE-2026-42530 (CVSS v4 score: 9.2) - A use-after-free vulnerability in the ngx_http_v3_module that could be triggered by a remote unauthenticated attacker when NGINX Open Source is configured to use the HTTP/3 QUIC module to reopen a QPACK encoder stream by means of a specially crafted HTTP/3 session, and execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.

VULNEREBILITY

VULNEREBILITY

19.6.26 CVE-2026-42055 (CVSS v4 score: 9.2) - A heap-based buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules that could be triggered by a remote unauthenticated attacker when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 MB, and execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.

VULNEREBILITY

VULNEREBILITY

19.6.26 CVE-2025-20701 About the security content of Beats Firmware Update 1B211

VULNEREBILITY

VULNEREBILITY

18.6.26 Crypto Clipper Crypto Clipper uses Tor and worm-like propagation for persistence and control MALWARE CLIPPER
18.6.26 CVE-2023-52271 The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-privileged attackers to kill any (Protected Process Light) process via an IOCTL (which will be named at a later time).

VULNEREBILITY

VULNEREBILITY

18.6.26 CVE-2025-61155 The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process can open a handle to the driver device and send specially crafted IOCTL requests.

VULNEREBILITY

VULNEREBILITY

18.6.26 CVE-2025-1055 A vulnerability in the K7RKScan.sys driver, part of the K7 Security Anti-Malware suite, allows a local low-privilege user to send crafted IOCTL requests to terminate a wide range of processes running with administrative or system-level privileges, with the exception of those inherently protected by the operating system.

VULNEREBILITY

VULNEREBILITY

18.6.26 CVE-2026-50656 Microsoft Defender Elevation of Privilege Vulnerability

VULNEREBILITY

VULNEREBILITY

18.6.26 Operation Poisson Cato CTRL™ Threat Research: Operation Poisson – Analyzing a Cybercriminal’s Entire Operation OPERATION OPERATION
17.6.26 easy-day-js: Supply Chain Campaign easy-day-js: Supply Chain Campaign Targets Mastra npm Packages CAMPAIGN CAMPAIGN
17.6.26 Potemkin Someone's Hands Are on Your Keyboard Then Your Whole Network. Courtesy of ClickFix, Potemkin, RMMProject and EtherRAT MALWARE Loader
17.6.26 Hijacking Vertex AI Model Uploads for Cross-Tenant RCE Pickle in the Middle – Hijacking Vertex AI Model Uploads for Cross-Tenant RCE HACKING HACKING
17.6.26 BabaDeda Loader What Is the BabaDeda Loader? Analysis of a New ClickFix Malware Campaign MALWARE Loader
17.6.26 CVE-2026-48907 A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.

VULNEREBILITY

VULNEREBILITY

16.6.26 Rokarolla Rokarolla : Android Banker with Complete Device Takeover Capabilities MALWARE BANKING
16.6.26 CVE-2026-25089 A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests

VULNEREBILITY

VULNEREBILITY

16.6.26 CVE-2026-39808 A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>

VULNEREBILITY

VULNEREBILITY

16.6.26 CVE-2026-39813 A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via <insert attack vector here>

VULNEREBILITY

VULNEREBILITY

16.6.26 SprySOCKS FishMonger’s arsenal upgraded: SprySOCKS for Windows MALWARE BACKDOOR
16.6.26 NarwhalRAT Analysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2 MALWARE RAT
16.6.26 CVE-2026-20262 Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability

VULNEREBILITY

VULNEREBILITY

16.6.26 CVE-2026-54420 LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability

VULNEREBILITY

VULNEREBILITY

16.6.26 UNK_DeadDrop Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency CAMPAIGN CAMPAIGN
15.6.26 CVE-2026-40217 LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.

VULNEREBILITY

VULNEREBILITY

15.6.26 CVE-2026-47102 LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed.

VULNEREBILITY

VULNEREBILITY

15.6.26 CVE-2026-47101 LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions.

VULNEREBILITY

VULNEREBILITY

15.6.26 Reprompt Reprompt: The Single-Click Microsoft Copilot Attack that Silently Steals Your Personal Data ATTACK ATTACK
15.6.26 CVE-2026-42824 M365 Copilot Information Disclosure Vulnerability

VULNEREBILITY

VULNEREBILITY

15.6.26 Sniper’s Nest Sniper’s Nest: From Brand Impersonation to Browser Hijacking and CPA Fraud CAMPAIGN CAMPAIGN
15.6.26 CVE-2026-0257 Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection. Panorama and Cloud NGFW are not impacted by these issues.

VULNEREBILITY

VULNEREBILITY

14.6.26 CVE-2026-42897 Microsoft Exchange Server Spoofing Vulnerability

VULNEREBILITY

VULNEREBILITY

14.6.26 CVE-2026-10520 An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution

VULNEREBILITY

VULNEREBILITY

14.6.26 CVE-2026-34910 A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.

VULNEREBILITY

VULNEREBILITY

14.6.26 CVE-2026-34909 A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.

VULNEREBILITY

VULNEREBILITY

14.6.26 CVE-2026-34908 A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.

VULNEREBILITY

VULNEREBILITY

14.6.26 CVE-2026-52806 CVE-2026-52806: Authenticated RCE via Argument Injection in Gogs (FIXED as of June 7, 2026)

VULNEREBILITY

VULNEREBILITY

14.6.26 NFCShare NFCShare Android Trojan: NFC card data theft via malicious APK MALWARE ANDROID

13.6.26

FlutterShell macOS backdoor leveraged within the Operation FlutterBridge Security researchers from Unit 42 reported about an Operation FlutterBridge, a widespread macOS malvertising campaign that represents an evolution of older JSCoreRunner threat. The attackers now deploy a sophisticated backdoor payload named FlutterShell that leverages the Flutter framework. The malware masquerades as legitimate desktop applications but executes malicious background activities, including file system tampering, arbitrary shell command execution, and environmental variable exfiltration. ALERTS VIRUS

13.6.26

OnionDrop loader malware The Howler Cell Threat Research Team has identified OnionDrop, a highly sophisticated, multi-stage malware loader designed to distribute infostealing payloads. First discovered active in early 2026, researchers have uncovered more than 645 unique DLL samples linked to this ongoing campaign, which evolved from prior operations involving CGrabber and Direct-sys loaders. ALERTS VIRUS

13.6.26

Recent activities of the Blue Margay threat group In a recent report, the analysts from SCILabs have detailed the tactics, techniques, and procedures of Blue Margay, an active threat group targeting Brazilian users and organizations to conduct banking and cryptocurrency fraud. Initial compromise is achieved primarily through targeted phishing emails masquerading as Brazil’s Ministry of Finance or various internal corporate departments. ALERTS GROUP

13.6.26

CVE-2026-7465 - Spectra Gutenberg Blocks RCE Vulnerability CVE-2026-7465 is a recently disclosed high-severity (CVSS score 8.8) Remote Code Execution (RCE) vulnerability affecting Spectra Gutenberg Blocks which is a Website Builder for the Block Editor plugin for WordPress. If successfully exploited the flaw might allow authenticated attackers with contributor-level access or higher to execute arbitrary PHP code on the server host. ALERTS VULNEREBILITY

13.6.26

Threat Actors Leverage Old WinRAR Vulnerability to Deliver Data-Stealing Malware Researchers at Trend Micro have highlighted recent campaigns targeting Ukrainian organizations by Russian-aligned threat actors. The report focuses on the exploitation of CVE-2025-8088, a long-patched WinRAR vulnerability. The WinRAR flaw allows attackers to quietly deploy malware families including GIFTEDCROOK, GammaSteel, and GammaWorm. These variants are designed to steal credentials, monitor files, collect sensitive documents, and maintain long-term access to compromised systems. ALERTS VULNEREBILITY

13.6.26

CVE-2026-11645 - Chrome V8 Zero-Day vulnerability exploited in the wild CVE-2026-11645 is a recently disclosed high-severity (CVSS score 8.8) out-of-bounds memory access vulnerability in Google Chrome's V8 JavaScript and WebAssembly engine. If successfully exploited the flaw might allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML pages. This vulnerability has already been reported as being exploited in the wild. ALERTS VULNEREBILITY

13.6.26

SilentNet – A RAT/Stealer masquerading as a Minecraft Hack Client SilentNet is a Java-based remote access trojan and infostealer sold as a malware-as-a-service offering. It is actively promoted on platforms including YouTube and is already being used in the wild by various actors. ALERTS VIRUS

13.6.26

Operation TaxShadow Researchers from Cyfirma disclosed details of a sophisticated phishing campaign, dubbed "Operation TaxShadow", that targets victims by impersonating Indian tax authorities. Using urgent, government-branded emails, attackers lure users to a deceptive portal to download a malicious ZIP archive containing a three-stage payload. Once executed the threat leverages DLL hijacking, API hooking, and token manipulation to successfully elevate its privileges. ALERTS OPERATION

13.6.26

C0XMO - a new Gafgyt malware variant The cybersecurity researchers at FortiGuard Labs identified C0XMO, a novel variant of the Gafgyt botnet. This malware spreads by leveraging CVE-2021-27137, a critical stack buffer overflow vulnerability within the UPnP service of certain vulnerable DD-WRT routers. ALERTS VIRUS

13.6.26

CVE-2026-45321 - TanStack npm supply chain compromise CVE-2026-45321 is a recently disclosed critical (CVSS score 9.6) supply chain vulnerability affecting the TanStack npm ecosystem. The attackers leveraged GitHub Actions and trusted-publisher workflows to publish 84 malicious versions across 42 tanstack packages under a trusted identity. The published payloads contained credential-stealing malware. This vulnerability has already been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog following the reports of the in-the-wild exploitation. ALERTS VULNEREBILITY

13.6.26

CVE-2026-20253 In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.<br><br>The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.

VULNEREBILITY

VULNEREBILITY

13.6.26

Atomic Arch Atomic Arch: Attackers Hijack Trusted AUR Packages to Deliver Rootkit-Like Malware CAMPAIGN CAMPAIGN

13.6.26

Operation Highland

Velvet Ant’s Operation Highland: How a China-Nexus Actor Infiltrated an Internal Network Undetected

OPERATION

OPERATION

13.6.26

CVE-2024-20399

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated user in possession of Administrator credentials to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands.

VULNEREBILITY

VULNEREBILITY

13.6.26

Velvet Ant

China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence

GROUP

GROUP

12.6.26

Agentjacking

Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code

ATTACK

AI

12.6.26

CVE-2026-27022

(CVSS score: 6.5) - A RediSearch Query Injection in @langchain/langgraph-checkpoint-redis that can be used to bypass access controls. (Affects @langchain/langgraph-checkpoint-redis versions before 1.0.1)

VULNEREBILITY

VULNEREBILITY

12.6.26

CVE-2026-28277

(CVSS score: 6.8) - An unsafe msgpack deserialization vulnerability in LangGraph that could be used to trigger object reconstruction when a checkpoint is loaded by an attacker who can modify checkpoint data. (Affects langgraph versions before 1.0.10)

VULNEREBILITY

VULNEREBILITY

12.6.26

CVE-2025-67644

(CVSS score: 7.3) - A SQL injection vulnerability exists in LangGraph's SQLite checkpoint implementation that allows attackers to manipulate SQL queries through metadata filter keys. (Affects langgraph-checkpoint-sqlite versions before 3.0.1)

VULNEREBILITY

VULNEREBILITY

12.6.26

CVE-2026-35273

Oracle Security Alert Advisory - CVE-2026-35273

VULNEREBILITY

VULNEREBILITY

12.6.26 Phishing for Lobsters Phishing for Lobsters: How We Tricked OpenClaw into Spilling Secrets PHISHING PHISHING
12.6.26 Phantom Mantis Operation Phantom Mantis, initially known as ArmCorp, is a financially motivated threat group active since March 2025. The group conducts intrusions for extortion and is led by a Russian-speaking criminal tracked as LARVA-368. OPERATION OPERATION
11.6.26 crypton-x509-validation Haskell libraries do not enforce X.509 NameConstraints A vulnerability has been discovered in the Haskell TLS software stack, commonly used by applications built in the Haskell programming language to securely connect to servers over the internet. ALERT ALERT
11.6.26 Microsoft-signed UEFI shim bootloaders vulnerable to Secure Boot bypass Microsoft-signed UEFI bootloaders of the open-source shim project, primarily from version 0.9 and earlier, were identified as vulnerable to Secure Boot bypass. To mitigate this risk, the affected bootloaders will be added to the Microsoft UEFI Forbidden Signature Database (DBX). ALERT ALERT
11.6.26 Securly Chrome Extension contains multiple weak encryption and access control vulnerabilities Version 3.0.7 of the Securly Chrome Extension contains multiple vulnerabilities involving insecure data transmission, weak cryptography, and improper access control. ALERT ALERT
11.6.26 NPM Ignore Scripts Best NPM Ignore Scripts Best Practices as Security Mitigation for Malicious Packages HACKING HACKING
11.6.26 OceanLotus OceanLotus: From external espionage to domestic targeting APT APT
11.6.26 JDY Expanded JDY IoT and SOHO botnet enables rapid vulnerability exploitation BOTNET BOTNET
10.6.26 CVE-2026-25089 A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-5027 The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../'). VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-20245 (CVSS score: 7.8) - An improper encoding or escaping of output vulnerability in Cisco Catalyst SD-WAN Manager that could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-11645 (CVSS score: 8.8) - An out-of-bounds read and write vulnerability in Google Chrome V8 that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-7473 (CVSS score: 6.9) - An incomplete comparison with missing factors vulnerability in Arista Extensible Operating System (EOS) that could be exploited to process non-configured tunnel traffic. VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-47291 (CVSS score: 9.8) - An integer overflow or wraparound flaw in Windows HTTP.sys that allows an unauthorized attacker to execute code over a network. VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-44815 (CVSS score: 9.8) - A stack-based buffer overflow vulnerability in Windows DHCP Client that allows an unauthorized attacker to execute code over a network. VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-45655 Windows BitLocker Security Feature Bypass Vulnerability VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-45658 Windows BitLocker Security Feature Bypass Vulnerability VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-50507 Windows BitLocker Security Feature Bypass Vulnerability VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-45586 (CVSS score: 7.8) - Windows Collaborative Translation Framework (CTFMON) privilege escalation vulnerability VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-49160 (CVSS score: 7.5) - HTTP.sys denial-of-service vulnerability VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-44295 Code injection in pbjs static output from crafted schema names VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-44294 Denial of service from crafted field names in generated code VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-44292 Per-instance prototype injection in generated message constructors VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-44291 Code generation gadget after prototype pollution VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-44290 Process-wide denial of service when loading schemas with unsafe option paths VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-44289 Denial of service through unbounded protobuf recursion VULNEREBILITY VULNEREBILITY
10.6.26 CVE-2026-44963 A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user. VULNEREBILITY VULNEREBILITY
9.6.26 AI AGENTS ENABLE ADAPTIVE COMPUTER WORMS A computer worm is malware that spreads on a network by replicating itself from one machine to another. Traditional worms, like WannaCry, exploited predetermined vulnerabilities, and their spread can be halted by patching those vulnerabilities PAPERS PAPERS
9.6.26 CVE-2025-8088 A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET. VULNEREBILITY VULNEREBILITY
9.6.26 CVE-2026-11645 Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) VULNEREBILITY VULNEREBILITY
9.6.26 FROST ATTACK FROST: Fingerprinting Remotely using OPFS-based SSD Timing ATTACK ATTACK
9.6.26 FROST ATTACK FROST: Fingerprinting Remotely using OPFS-based SSD Timing PAPERS PAPERS
9.6.26 Miasma Worm Campaign Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave CAMPAIGN CAMPAIGN
9.6.26 CVE-2026-42271 BerriAI LiteLLM Command Injection Vulnerability VULNEREBILITY VULNEREBILITY
9.6.26 CVE-2026-50751 Check Point Security Gateway Improper Authentication Vulnerability VULNEREBILITY VULNEREBILITY
9.6.26 kernel/git/torvalds/linux.git nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. VULNEREBILITY VULNEREBILITY
9.6.26 CVE-2026-23111 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. VULNEREBILITY VULNEREBILITY
8.6.26 Fighting Spyware WhatsApp caught and disrupted spear phishing attempts linked to NSO, a spyware firm blacklisted by the US government. MALWARE SPYWARE
8.6.26 CVE-2026-50751 A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password. VULNEREBILITY VULNEREBILITY
8.6.26 UNC3753 Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms GROUP GROUP
7.6.26 VerdantBamboo VerdantBamboo: Just Another BRICKSTORM in the Firewall INCIDENT INCIDENT
7.6.26 Atlas RAT TA4922: The Suspected Chinese Crime Group is Going Global MALWARE RAT
7.6.26 CVE-2026-49200 The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access. VULNEREBILITY VULNEREBILITY
7.6.26 CVE-2026-49201 The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection. VULNEREBILITY VULNEREBILITY
7.6.26 CVE-2024-21182 Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. VULNEREBILITY VULNEREBILITY
7.6.26 CVE-2026-41089 Windows Netlogon Remote Code Execution Vulnerability VULNEREBILITY VULNEREBILITY
6.6.26 TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access NCC Group’s global Cyber Incident Response Team has observed an increase in Clop ransomware victims in the past weeks. The surge can be traced back to a vulnerability in SolarWinds Serv-U that is being abused by the TA505 threat actor. GROUP GROUP
6.6.26 Patch-to-PoC: A Systematic Study of Agentic LLM Systems for Linux Kernel
N-Day Reproduction
Autonomous large language model (LLM) based systems have recently shown promising results across a range of cybersecurity tasks. However, there is no systematic study on their effectiveness in autonomously reproducing Linux kernel vulnerabilities with concrete proofs-of-concept (PoCs). PAPERS PAPERS
6.6.26 Python RAT deployment under the disguise of RVTools Security researchers from K7 Security Labs recently identified a malicious campaign distributing a fake installer for RVTools, a popular management utility. Once executed, the installer initiates a three-stage payload delivery. It begins with an obfuscated VBScript hidden inside the binary, which executes a hidden PowerShell command to pull down a malicious archive from a Dropbox repository.  ALERTS VIRUS
6.6.26 TA4922 Delivers Atlas RAT in Recent Campaigns The sophisticated Chinese-speaking cybercrime group TA4922 is rapidly expanding its global reach with an aggressive operational tempo and a highly dangerous, evolving malware arsenal. Security researchers from Proofpoint have tracked the group shifting away from its traditional East Asian focus to deploy devastating new payloads across Europe and Africa. ALERTS APT
6.6.26 Espionage Campaign Targeted Stock Exchange Executive for Five Months A five-month espionage campaign targeted the email account of a senior figure at a major global stock exchange. For an espionage actor, a senior executive's mailbox is a high-value intelligence target. An Outlook profile may yield details of external negotiations, internal deliberations, the executive's calendar, travel pattern, and their contacts. ALERTS CAMPAIGN
6.6.26 Pakistan-Linked SideCopy Deploys XenoRAT in Targeted Government Espionage Campaign Researchers at Seqrite have uncovered Operation XENOFISCAL, an aggressive cyber campaign targeting Afghanistan’s Ministry of Finance and attributed to the Pakistan-linked threat group SideCopy. The attack begins with spear-phishing emails containing a ZIP archive that delivers a malicious shortcut file.  ALERTS VIRUS
6.6.26 Miasma credential-stealing campaign Microsoft Threat Intelligence identified a large-scale npm supply chain attack affecting 32 maliciously modified packages across more than 90 versions under the @redhat-cloud-services npm scope. CAMPAIGN CAMPAIGN
6.6.26 TanStack Supply Chain Attack On 11 May 2026, the threat actor group TeamPCP compromised 42 TanStack npm packages by chaining three GitHub Actions vulnerabilities to hijack the project's legitimate CI/CD pipeline. The attackers then published 84 malicious package versions carrying valid SLSA Build Level 3 provenance attestations, making them indistinguishable from legitimate releases by standard verification methods. HACKING HACKING
6.6.26 Miasma Worm Miasma Worm Targets AI Coding Agents via GitHub Repos MALWARE WORM
6.6.26 IronWorm IronWorm: Shai-Hulud's rustier cousin MALWARE WORM
6.6.26 CVE-2026-28318 SolarWinds Serv-U Uncontrolled Resource Consumption Vulnerability VULNEREBILITY VULNEREBILITY
6.6.26 CVE-2026-20245 Cisco Catalyst SD-WAN Manager Authenticated Privilege Escalation Vulnerability VULNEREBILITY VULNEREBILITY
6.6.26 OverlayPhantom Cyble analyzes OverlayPhantom, an Android banking trojan targeting 180+ apps across 10 countries, stealing credentials via fake overlays and real-time screen streaming. MALWARE BANKING
5.6.26 Argamal In April 2026, we discovered a new malware campaign targeting players of “hentai” games. Once launched, the infected games install a previously unknown malicious implant on the user’s machine. MALWARE RAT
5.6.26 MiniPlasma Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability VULNEREBILITY VULNEREBILITY
5.6.26 Cluster OP-512 ReliaQuest's Agentic AI Uncovers New China-Linked Cluster OP-512 GROUP GROUP
5.6.26 CVE-2026-3300 The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). VULNEREBILITY VULNEREBILITY
5.6.26 GHOST STADIUM The GHOST STADIUM Score: Billions At Stake At The World’s Largest Football Tournament CAMPAIGN CAMPAIGN
5.6.26 CVE-2026-20230 Cisco Unified Communications Manager Server-Side Request Forgery Vulnerability VULNEREBILITY VULNEREBILITY
5.6.26 Poisoning Claude Code Poisoning Claude Code: One GitHub Issue to Break the Supply Chain AI AI
4.6.26 TA4922 TA4922: The Suspected Chinese Crime Group is Going Global GROUP GROUP
4.6.26 Operation FlutterBridge Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor OPERATION OPERATION
4.6.26 Calendaromatic Kroll has seen widespread installation of application, "Calendaromatic", which is classifying as a Potentially Unwanted Program (PUP) – Adware. MALWARE PUP
4.6.26 JSCoreRunner New malware JSCoreRunner is spreading via fake PDF converters MALWARE JS
4.6.26 CVE-2026-23479 Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. VULNEREBILITY VULNEREBILITY
4.6.26 CVE-2026-45247 Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. VULNEREBILITY VULNEREBILITY
4.6.26 DesckVB RAT DesckVB RAT first emerged around February 2026 and has been making the rounds ever since. The activity originated from a malspam kit. MALWARE RAT
3.6.26 CVE-2022-0492 Linux Kernel Improper Authentication Vulnerability VULNEREBILITY VULNEREBILITY
3.6.26 CVE-2025-48595 In multiple locations, there is a possible way to achieve code execution due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. VULNEREBILITY VULNEREBILITY
3.6.26 Stealthy Loader A Missing Piece in PlushDaemon: Anatomy of a Stealthy Loader MALWARE LOADER
3.6.26 PixyNetLoader Tracking APT28 PixyNetLoader: Evolutions from 2024 to 2026 MALWARE LOADER
3.6.26 CVE-2024-21182 Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. VULNEREBILITY VULNEREBILITY
3.6.26 CVE-2016-1546 The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service (stream-processing outage) via modified flow-control windows. VULNEREBILITY VULNEREBILITY
3.6.26 CVE-2026-33829 Windows Snipping Tool Spoofing Vulnerability VULNEREBILITY VULNEREBILITY
3.6.26 CVE-2023-35636 Microsoft Outlook Information Disclosure Vulnerability VULNEREBILITY VULNEREBILITY
3.6.26 Hidden HTTP/2 Bomb 14 years ago, I helped break HTTP header compression, then was asked to review the fix, which became part of HTTP/2. Life has come full circle: today we're releasing an attack I missed. HACKING WWW
3.6.26 HPACK HPACK: the silent killer (feature) of HTTP/2 HACKING WWW
3.6.26 CVE-2016-6581 A HTTP/2 implementation built using any version of the Python HPACK library between v1.0.0 and v2.2.0 could be targeted for a denial of service attack, specifically a so-called "HPACK Bomb" attack. VULNEREBILITY VULNEREBILITY
3.6.26 CVE-2025-53020 Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue. VULNEREBILITY VULNEREBILITY
3.6.26 CVE-2016-8740 The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request. VULNEREBILITY VULNEREBILITY
3.6.26 CVE-2016-1546 The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service (stream-processing outage) via modified flow-control windows. VULNEREBILITY VULNEREBILITY
2.6.26 CVE-2024-21182 Oracle WebLogic Server Unspecified Vulnerability KEV KEV
2.6.26 Missing IPsec Integrity Protection for IMS SIP Signaling in Verizon VoLTE Deployments VoLTE deployments on Verizon’s IMS network have historically lacked IPsec-based integrity protection for SIP signaling, contravening well-established requirements in 3GPP TS 33.203 and GSMA IR.92. As a result, SIP messages—including registration (REGISTER), call setup (INVITE), and messaging (MESSAGE)—were transmitted in plaintext without cryptographic guarantees of integrity or authenticity. ALERT ALERT
2.6.26 Appsmiths SQL Query autocomplete renderer contains a cross site scripting vulnerability A stored cross-site scripting (XSS) vulnerability has been discovered in Appsmith, specifically in the CodeMirror based SQL query editor’s autocomplete renderer. CVE-2026-7299 has been assigned to track the vulnerability. An attacker with developer level access to a shared PostgreSQL datasource can inject arbitrary JavaScript by creating malicious database objects whose names contain XSS payloads. ALERT ALERT
2.6.26 Collibra Agent contains improper authentication and path traversal vulnerabilities The Collibra Platform Agent contains vulnerabilities that can be chained by a remote, unauthenticated attacker to achieve remote code execution. ALERT ALERT
2.6.26 PCTCore64.sys Windows kernel driver contains missing access control vulnerability The PCTCore64.sys Windows kernel driver from PC Tools Internet Security exposes its \\.\PCTCoreDriver device interface with no access control, allowing any user-mode process to interact with the driver and invoke privileged IOCTL (I/O Control) commands. ALERT ALERT
2.6.26 New PureLogs Variant Targets Browsers, Discord, and Cryptocurrency Wallets Researchers at FortiGuard Labs have highlighted a sophisticated new phishing campaign that is actively deploying a dangerous fileless PureLogs variant designed to aggressively harvest sensitive user information. Initially disguised as a standard purchase order, the attack utilizes heavily obfuscated JavaScript and a malicious PowerShell script to subtly hijack a trusted Windows process through process hollowing. ALERTS CRYPTOCURRENCY
2.6.26 Telegram Campaign Delivers Silent Stealer In a recent write-up, the Ransom-ISAC Research Team details a Telegram-distributed Silent Stealer v2.6.5 build packaged by a distributor operating under the alias ShinySpider. ALERTS CAMPAIGN
2.6.26 MacOS malware distributed in the JINX-0164 campaign The Wiz Customer Incident Response Team (CIRT) has identified JINX-0164, a previously unreported cyber threat actor targeting cryptocurrency organizations since at least mid-2025. Using recruitment-themed social engineering, the attackers employ credible LinkedIn profiles to offer virtual meetings to developers. ALERTS CAMPAIGN
1.6.26 TencShell Cato CTRL Threat Research: Suspected China-Linked Threat Actor Targets Global Manufacturer with Undocumented TencShell Malware MALWARE RAT
1.6.26 ESET APT Activity Report Q4 2025–Q1 2026 CONFLICT-INFORMED ESPIONAGE: MONITORING OIL SHIPMENTS, TARGETING DRONE MAKERS REPORT REPORT
1.6.26 CVE-2026-8732 The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. VULNEREBILITY VULNEREBILITY