Cybersecurity
138 articles RSS
MiniPlasma: A Five-Year-Old Windows Zero-Day Resurfaces With Working PoC, Granting SYSTEM Privileges on Fully Patched Systems
A researcher named Chaotic Eclipse released a working exploit for an unpatched Windows privilege escalation flaw in the Cloud Filter driver, confirmed to grant SYSTEM access on fully patched Windows 11.
Pwn2Own Berlin 2026 Closes With $1.3 Million in Prizes and 47 Zero-Days as DEVCORE Claims Master of Pwn
DEVCORE took the top prize with $505,000 and 50.5 points after three days at OffensiveCon, where 47 unique zero-days in Windows, Exchange, VMware, and AI tools earned researchers $1,298,250.
Mini Shai-Hulud Worm Hits TanStack, Mistral AI and UiPath, Compromising 170+ npm and PyPI Packages With 518M Combined Downloads
TeamPCP's May 11 supply-chain attack abused a pull_request_target workflow, GitHub Actions cache poisoning, and OIDC token theft to ship 84 malicious TanStack versions and spread to Mistral AI, UiPath and others.
Microsoft Confirms Active Exploitation of Unpatched Exchange Server CVE-2026-42897 as CISA Adds It to KEV With May 29 Deadline
Microsoft has disclosed an actively exploited cross-site scripting flaw in on-premises Exchange Server's Outlook Web Access. No patch has shipped; CISA gave federal agencies until May 29 to apply mitigations.
DepthFirst's AI Scanner Surfaces NGINX Rift, an 18-Year-Old Heap Overflow in the Rewrite Module That Enables Unauthenticated RCE
An LLM-powered scanner from security startup DepthFirst flagged a heap buffer overflow that had sat undetected in NGINX's rewrite module for roughly 18 years, prompting F5 to ship coordinated patches on May 13.
Cisco Patches Sixth SD-WAN Zero-Day of 2026 as CISA Adds CVE-2026-20182 to KEV With Three-Day Federal Deadline
A second authentication bypass in the same vdaemon stack as February's CVE-2026-20127 carries a CVSS 10.0 and is being exploited by the same UAT-8616 cluster, Cisco and Talos disclosed on May 14.
Foxconn Confirms Nitrogen Ransomware Attack on North American Factories with 8 TB Data and 11 Million Documents Stolen
World's largest electronics manufacturer acknowledges cyberattack claimed by Nitrogen ransomware group on North American factories; attackers allege 8 TB data theft including confidential schematics for Apple, Nvidia, Google and others, with production now resuming.
PostgreSQL Ships Coordinated Security Release Fixing 11 CVEs Across Five Supported Versions
PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 landed May 14, fixing 11 security flaws and over 60 bugs, with four CVEs rated 8.8.
Apple and Google Begin Rolling Out End-to-End Encrypted RCS Between iPhones and Androids as iOS 26.5 Ships With Beta Support
On May 11, 2026 Apple shipped iOS 26.5 with beta support for end-to-end encrypted RCS messaging across iPhone and Android, the first large-scale interoperable encrypted messaging deployment between competing mobile platforms.
XBOW Discloses 'Dead.Letter' Use-After-Free in Exim's BDAT Path, CVSS 9.8 Pre-Auth RCE Against GnuTLS Builds 4.97 to 4.99.2
CVE-2026-45185, found by XBOW's Federico Kirschbaum and patched in Exim 4.99.3, lets an unauthenticated SMTP client corrupt the heap via a TLS close_notify during a CHUNKING transfer.
Microsoft Unveils MDASH, a Multi-Model Agentic Security Harness That Tops the CyberGym Leaderboard and Finds 16 Windows Bugs
Microsoft's new Autonomous Code Security team disclosed MDASH alongside its May 2026 Patch Tuesday, crediting the multi-model agentic scanner with 16 Windows vulnerabilities — four of them critical RCEs — and an 88.45 percent score on CyberGym.
Vercel Ships Coordinated Next.js Security Release Patching 13 Advisories Across DoS, Middleware Bypass, SSRF and Cache Poisoning
Next.js 15.5.18 and 16.2.6 land with a 13-advisory bundle covering a React Server Components DoS (CVE-2026-23870), middleware-bypass routes, SSRF, and cache poisoning; Vercel says the WAF cannot reliably block them.