Windows Kernel Bug Breaks Every Browser Sandbox — And It Almost Stayed Secret Until Pwn2Own
A security researcher prepared a devastating Windows kernel exploit for Pwn2Own Berlin 2026 — then had to watch it go public days before the contest …
Security
PoC Exploit Released for Drupal's Critical SQL Injection CVE-2026-9082
A day after Drupal's emergency patches landed , security researchers at Searchlight Cyber have published a full technical breakdown of CVE-2026-9…
Nine-Year-Old Linux Kernel Flaw CVE-2026-46333 Lets Attackers Steal SSH Keys, Shadow Passwords, and Root Access
The Qualys Threat Research Unit (TRU) has released the full advisory for CVE-2026-46333, a logic flaw in the Linux kernel's __ptrace_may_access()…
Drupal Patches Highly Critical SQL Injection That Lets Anonymous Attackers Hijack PostgreSQL-Backed Sites
Drupal has pushed emergency security updates for a highly critical SQL injection vulnerability in its core database abstraction layer — the kind of f…
PinTheft: New Linux Exploit Steals Kernel References to Root Shell
A working proof-of-concept exploit for a new Linux kernel privilege escalation bug called PinTheft went public this week, adding another name to a gr…
PostgreSQL Patches 11 Security Flaws, Including Code Execution and a Sneaky Password-Stealing Timing Attack
The world's most popular open-source database just dropped its biggest security update of the year — and if you haven't patched yet, attacker…
GitHub's Own Codebase Was Breached — A Poisoned VS Code Extension Was All It Took
The world's largest code-hosting platform just became the victim of its own ecosystem. On May 20, 2026, GitHub confirmed that a threat actor exf…
Microsoft's durabletask Hit by TeamPCP — Your Cloud Keys Were the Target
TeamPCP has quietly poisoned yet another trusted developer package — and this time the target was sitting inside Microsoft's own toolchain. Three…
Microsoft Busts "Fox Tempest" — A Dark Web Service That Sold Fake Code Signatures to Ransomware Gangs
Microsoft has dismantled a sophisticated criminal operation that essentially ran a paid signing service for malware, allowing ransomware groups to ma…
Storm-2949 Hackers Turned One Stolen Password Reset Into a Full Azure Cloud Takeover
A single helpdesk phone call was all it took. Microsoft's Threat Intelligence team has published a detailed breakdown of how a threat actor it t…
Grafana Labs Refuses Ransom After GitHub CI Flaw Exposed Its Source Code
Grafana Labs publicly confirmed this week that attackers stole a GitHub access token through a misconfigured CI/CD pipeline, downloaded private sourc…
Microsoft Exchange Zero-Day Exploited in the Wild — and Pwn2Own Researchers Just Made It Worse
Microsoft Exchange Server is having a very bad week. While threat actors are already exploiting a critical cross-site scripting vulnerability in the …
Linux Kernel Had a Six-Year Bug That Let Anyone Steal SSH Host Keys and Root Passwords
A logic flaw sitting quietly in the Linux kernel since at least 2020 — possibly longer — just got a working exploit, a public proof-of-concept, and a…
Google's Security Team Built a Zero-Click Root Exploit for the Pixel 10
Google's elite Project Zero security team has done it again — this time turning the Pixel 10 into a case study for how hardware driver vulnerabil…
NGINX Rift: An 18-Year-Old Bug Lets Hackers Hijack One-Third of the Internet's Web Servers
A memory corruption flaw in NGINX's source code, hidden since 2008, now has a working exploit. An unauthenticated attacker anywhere on the intern…
Linux Kernel Strikes Again: "Fragnesia" Is the Third Root-Level Flaw in Two Weeks
Linux administrators have barely had time to recover from Copy Fail and Dirty Frag — and now there's a third exploit joining the same dangerous f…
Composer Bug Silently Dumped GitHub Tokens Into CI Logs — Patch Now
Millions of PHP developers who rely on Composer for dependency management were silently exposed to a token-leaking vulnerability this week — one that…
Microsoft's AI Just Found 16 Windows Vulnerabilities Humans Missed — And It's Only Getting Started
For decades, finding dangerous bugs buried deep inside Windows has been a job for elite human researchers armed with time and hard-won instinct. Toda…
Exim Mail Server Has a Critical Unauthenticated RCE — And an AI Helped Build the Exploit
A critical security vulnerability in Exim — the mail server software running on roughly half of all internet-facing email servers — allows a remote a…
Hackers Used AI to Build a Real Zero-Day Exploit — And Almost Deployed It at Scale
For the first time, researchers have confirmed that a criminal threat actor used artificial intelligence to discover and weaponize a zero-day vulnera…