Microsoft Exchange Zero-Day Exploited in the Wild — and Pwn2Own Researchers Just Made It Worse
Microsoft Exchange Server is having a very bad week. While threat actors are already exploiting a critical cross-site scripting vulnerability in the …
Security
Linux Kernel Had a Six-Year Bug That Let Anyone Steal SSH Host Keys and Root Passwords
A logic flaw sitting quietly in the Linux kernel since at least 2020 — possibly longer — just got a working exploit, a public proof-of-concept, and a…
Google's Security Team Built a Zero-Click Root Exploit for the Pixel 10
Google's elite Project Zero security team has done it again — this time turning the Pixel 10 into a case study for how hardware driver vulnerabil…
NGINX Rift: An 18-Year-Old Bug Lets Hackers Hijack One-Third of the Internet's Web Servers
A memory corruption flaw in NGINX's source code, hidden since 2008, now has a working exploit. An unauthenticated attacker anywhere on the intern…
Linux Kernel Strikes Again: "Fragnesia" Is the Third Root-Level Flaw in Two Weeks
Linux administrators have barely had time to recover from Copy Fail and Dirty Frag — and now there's a third exploit joining the same dangerous f…
Composer Bug Silently Dumped GitHub Tokens Into CI Logs — Patch Now
Millions of PHP developers who rely on Composer for dependency management were silently exposed to a token-leaking vulnerability this week — one that…
Microsoft's AI Just Found 16 Windows Vulnerabilities Humans Missed — And It's Only Getting Started
For decades, finding dangerous bugs buried deep inside Windows has been a job for elite human researchers armed with time and hard-won instinct. Toda…
Exim Mail Server Has a Critical Unauthenticated RCE — And an AI Helped Build the Exploit
A critical security vulnerability in Exim — the mail server software running on roughly half of all internet-facing email servers — allows a remote a…
Hackers Used AI to Build a Real Zero-Day Exploit — And Almost Deployed It at Scale
For the first time, researchers have confirmed that a criminal threat actor used artificial intelligence to discover and weaponize a zero-day vulnera…
TanStack Packages Hit by Sophisticated Supply Chain Attack
A self-propagating worm has torn through the TanStack JavaScript ecosystem, publishing 84 malicious versions across 42 widely used npm packages in a …
JDownloader Website Hacked — Malicious Installers Served to Windows and Linux Users
JDownloader, one of the most widely used free download managers with millions of users across Windows, macOS, and Linux, had its official website com…
React and Next.js Hit With 12 Security Flaws — Three Let Attackers Bypass Auth, Hijack Servers
Vercel and the React team have fixed 13 vulnerabilities affecting Next.js and React Server Components, with three high-severity flaws drawing the mos…
Dirty Frag — No Patch, No Warning — Root Access on Every Major Linux Distro
Discovered by Korean security researcher Hyunwoo Kim, Dirty Frag chains two separate kernel vulnerabilities to hand any local user a root shell on vi…
Ubuntu's X Account Appears Hijacked to Push Fake "Numbat" Solana AI Agent Crypto Scam
Ubuntu users and open-source enthusiasts should be on high alert: a sophisticated impersonation campaign is exploiting Ubuntu's branding — and po…
Palo Alto PAN-OS Zero-Day Under Active Attack — No Patch Available Yet
Attackers are already exploiting a critical zero-day vulnerability in Palo Alto Networks' PAN-OS, the operating system powering the company's…
Apache HTTP Server's HTTP/2 Module Has a Memory Bug That Can Crash or Compromise Your Server
A memory management flaw buried inside Apache HTTP Server's HTTP/2 module is giving attackers two options: crash your web server with a two-frame…
WhatsApp Quietly Fixed Two Flaws That Could Make Malware Look Like a PDF
If you use WhatsApp on Windows, here is something worth knowing: until recently, an attacker could send you what looked like a harmless document — a …
A 21-Year-Old PHP Vulnerability That Opens the Door to Remote Code Execution
A security vulnerability that has been hiding inside PHP since 2005 — quietly surviving two decades of audits, engine rewrites, and dozens of related…
Lightning PyPI Package Compromised in Supply Chain Attack
If you're building, training, or shipping AI models with PyTorch Lightning, check your installed version immediately — two freshly published rele…
CVE-2026-41940: cPanel Authentication Bypass Was Already Being Exploited Before the Patch Even Dropped
On April 28, 2026, cPanel pushed an emergency security update for what it described as a vulnerability affecting "various authentication paths&…