Vulnerabilities
55 articles RSS
CISA Adds SimpleHelp, Samsung MagicINFO, and End-of-Life D-Link Flaws to KEV Catalog as DragonForce Ransomware and Mirai Botnets Exploit Them in the Wild
CISA's April 24 KEV update flags four actively exploited vulnerabilities tied to ransomware against managed service providers and Mirai DDoS botnets, with a May 8 federal patching deadline.
CISA Adds Windows Shell and ConnectWise ScreenConnect Flaws to KEV After Microsoft's April Patch Failed to Mark Zero-Click Bug as Exploited
CISA added CVE-2026-32202 and CVE-2024-1708 to the Known Exploited Vulnerabilities catalog on April 28, giving federal agencies until May 12 to patch a zero-click NTLM coercion flaw whose Patch Tuesday entry carried no exploitation marker.
Marimo Python Notebook Pre-Auth RCE Weaponized 9 Hours After Disclosure as CISA Adds CVE to KEV Catalog
An unauthenticated WebSocket flaw in the popular Marimo notebook (CVE-2026-39987, CVSS 9.3) was weaponized within 9 hours 41 minutes of disclosure, with credential theft completed in under three minutes. CISA has since added the bug to its KEV catalog with a May 7 federal deadline.
Windows Defender's Own Engine Weaponized: Three Zero-Days Put SYSTEM Privileges in Attacker Hands
A researcher's protest disclosure turned Microsoft Defender's remediation engine into an attack vector, with two of three zero-days remaining unpatched as ransomware actors move in.
Microsoft's Own Patch Tuesday Update Introduced a Critical ASP.NET Core Flaw, Forcing an Emergency 10.0.7 Release
A regression shipped in .NET 10.0.6 broke HMAC validation and exposed cookie-forging attacks. Microsoft released out-of-band .NET 10.0.7 on April 21 to patch CVE-2026-40372, rated 9.1 CVSS.
MCPwn Flaw in Nginx UI Becomes the First Major MCP Vulnerability Exploited in the Wild
A missing authentication check on a Model Context Protocol endpoint in nginx-ui exposes roughly 2,600 servers to full takeover, and unauthenticated exploitation is practical when paired with a second flaw that leaks a required node secret.
Firefox 150 Ships With 271 AI-Found Vulnerabilities Patched, as Mozilla Declares Defenders Can Finally Win
Mozilla released Firefox 150 on April 21, 2026, fixing 271 vulnerabilities surfaced by Anthropic's Claude Mythos Preview in a security sweep Mozilla's CTO calls a turning point for defender-side AI.
Adobe Rushes Out Acrobat Reader Patch for Zero-Day Exploited Since December
Adobe says CVE-2026-34621 is under active exploitation in Acrobat and Reader; the flaw can lead to arbitrary code execution and prompted a CISA KEV deadline.
CISA Adds 13-Year-Old Apache ActiveMQ RCE to KEV Catalog, Giving Federal Agencies Two Weeks to Patch a Bug Found by Claude in Ten Minutes
CISA added CVE-2026-34197, a 13-year-old remote code execution flaw in Apache ActiveMQ Classic, to its Known Exploited Vulnerabilities catalog on April 16 as Horizon3.ai's Naveen Sunkavally described finding the chain with Anthropic's Claude in about ten minutes.
Cisco Patches Four Critical Flaws in Identity Services Engine and Webex, Including a 9.8-Severity SSO Bypass
Cisco discloses four critical vulnerabilities across ISE and Webex, with the most severe allowing unauthenticated attackers to impersonate any user via a broken SSO certificate check.
Microsoft's April 2026 Patch Tuesday Ships 163 Fixes, Including an Exploited SharePoint Spoofing Flaw and a Publicly Disclosed Defender Escalation
April's update is Microsoft's second-largest Patch Tuesday on record, with 8 critical flaws, two zero-days, and privilege escalation bugs accounting for well over half of the patches.
Wasmtime Ships Largest-Ever Security Patch After LLM-Driven Audit Uncovers 12 Vulnerabilities Including Two Critical Sandbox Escapes
The Bytecode Alliance patches 12 Wasmtime flaws, two critical, found during a three-week LLM-assisted security sprint by Mozilla, UCSD, Akamai, and F5.