Cybersecurity
138 articles RSS
MCPwn Flaw in Nginx UI Becomes the First Major MCP Vulnerability Exploited in the Wild
A missing authentication check on a Model Context Protocol endpoint in nginx-ui exposes roughly 2,600 servers to full takeover, and unauthenticated exploitation is practical when paired with a second flaw that leaks a required node secret.
Firefox 150 Ships With 271 AI-Found Vulnerabilities Patched, as Mozilla Declares Defenders Can Finally Win
Mozilla released Firefox 150 on April 21, 2026, fixing 271 vulnerabilities surfaced by Anthropic's Claude Mythos Preview in a security sweep Mozilla's CTO calls a turning point for defender-side AI.
FBI's 2025 Internet Crime Report Creates Its First AI Category, Logging 22,364 Complaints and $893 Million in Losses
For the first time in 25 years, the FBI's IC3 annual report carves out a standalone artificial intelligence section, formally recognizing AI-enabled fraud as a distinct policy concern.
Adobe Rushes Out Acrobat Reader Patch for Zero-Day Exploited Since December
Adobe says CVE-2026-34621 is under active exploitation in Acrobat and Reader; the flaw can lead to arbitrary code execution and prompted a CISA KEV deadline.
CISA Adds 13-Year-Old Apache ActiveMQ RCE to KEV Catalog, Giving Federal Agencies Two Weeks to Patch a Bug Found by Claude in Ten Minutes
CISA added CVE-2026-34197, a 13-year-old remote code execution flaw in Apache ActiveMQ Classic, to its Known Exploited Vulnerabilities catalog on April 16 as Horizon3.ai's Naveen Sunkavally described finding the chain with Anthropic's Claude in about ten minutes.
Operation Atlantic Freezes $12 Million in Crypto Scam Proceeds and Identifies 20,000 Approval Phishing Victims Across Three Continents
A week-long NCA-led operation with the US Secret Service and Canadian police disrupted approval phishing scams, freezing millions while identifying fraud wallets across more than 30 countries.
Chrome and Firefox Retire DigiCert's G1 Root Certificates, Closing the Book on a Two-Decade-Old WebPKI Anchor
On April 15, 2026, Mozilla and Google removed DigiCert's legacy G1 root certificates from their trust stores, forcing holdouts on legacy chains to reissue TLS certificates or face untrusted errors.
Cisco Patches Four Critical Flaws in Identity Services Engine and Webex, Including a 9.8-Severity SSO Bypass
Cisco discloses four critical vulnerabilities across ISE and Webex, with the most severe allowing unauthenticated attackers to impersonate any user via a broken SSO certificate check.
NIST Abandons Universal CVE Enrichment, Shifting the National Vulnerability Database to Risk-Based Triage as Submissions Surge 263 Percent
NIST will now enrich only CVEs meeting federal priority criteria, leaving thousands of vulnerabilities without severity scores as AI-driven discovery overwhelms the 21-person NVD team.
ACLU-Led Coalition of 75 Groups Demands Meta Abandon 'Name Tag' Facial Recognition Before It Ships on Ray-Ban Glasses
A 75-organization coalition is pressing Meta to permanently drop plans for a face-identifying feature on its AI glasses, calling it 'a red line society must not cross.'
Microsoft's April 2026 Patch Tuesday Ships 163 Fixes, Including an Exploited SharePoint Spoofing Flaw and a Publicly Disclosed Defender Escalation
April's update is Microsoft's second-largest Patch Tuesday on record, with 8 critical flaws, two zero-days, and privilege escalation bugs accounting for well over half of the patches.
Meta Removes End-to-End Encryption From Instagram DMs as Take It Down Act Deadline Approaches
Meta will strip end-to-end encryption from Instagram direct messages on May 8, citing low adoption, just eleven days before the Take It Down Act compels platforms to police intimate content.