Dirty Frag — No Patch, No Warning — Root Access on Every Major Linux Distro
Discovered by Korean security researcher Hyunwoo Kim, Dirty Frag chains two separate kernel vulnerabilities to hand any local user a root shell on vi…
Vulnerability
Palo Alto PAN-OS Zero-Day Under Active Attack — No Patch Available Yet
Attackers are already exploiting a critical zero-day vulnerability in Palo Alto Networks' PAN-OS, the operating system powering the company's…
CVE-2026-41940: cPanel Authentication Bypass Was Already Being Exploited Before the Patch Even Dropped
On April 28, 2026, cPanel pushed an emergency security update for what it described as a vulnerability affecting "various authentication paths&…
A Single Git Push Was All It Took to Compromise GitHub — Millions of Repos Were Exposed
A critical vulnerability in GitHub's internal infrastructure allowed any authenticated user to execute arbitrary commands on GitHub's backend…
Hackers Targeted LiteLLM's AI Gateway Just 36 Hours After Critical SQL Injection Flaw Went Public
A critical, unauthenticated SQL injection vulnerability in LiteLLM — the open-source gateway that tens of thousands of organisations use to manage AP…
Anthropic's MCP Design Flaw Enables Remote Code Execution Across 200,000+ AI Servers
A single architectural decision baked into Anthropic's Model Context Protocol has quietly turned the backbone of the AI agent ecosystem into a re…
PHP Composer Hit by Two Command Injection Flaws That Work Even Without Perforce Installed
If you use PHP's Composer package manager, stop what you're doing and run composer.phar selfupdate right now. Two newly disclosed command i…
Critical Axios Flaw Enables Full Cloud Takeover
Axios, the JavaScript HTTP client powering over 100 million npm downloads every week, is under fire again — this time from a quietly lurking code-lev…
Fortinet Rushes Emergency Patch After Zero-Day in FortiClient EMS Caught Mid-Exploitation
A critical zero-day vulnerability in Fortinet's FortiClient Endpoint Management Server (EMS) was already being weaponized by attackers when resea…
Progress ShareFile Storage Zone Controller Hit With Critical Pre-Auth RCE Chain — Patch Now
Offensive security firm watchTowr has disclosed a critical two-vulnerability chain in Progress ShareFile's on-premises Storage Zone Controller (S…
Opening a Single File in Vim Can Hand Attackers Full Control of Your System
A two-bug chain quietly sitting in Vim since version 9.1.1391 lets a malicious file execute arbitrary shell commands the moment you open it — no plug…
One Packet. Full Root. GNU Telnetd Has a Critical Hole Nobody Logged
Security researchers have found a critical, pre-authentication remote code execution flaw in the telnetd server in GNU Inetutils that allows any unau…
Hackers Could Hijack Your Machine Just by Sharing a Git Repo — Claude Code Users Were at Risk
Developers who use Anthropic's Claude Code to write software with AI assistance were sitting on a serious security blind spot: cloning the wrong …
n8n Hit Again: Critical RCE Flaw Lets Attackers Hijack Servers by Chaining Three Harmless-Looking Nodes
Security researcher Fatih Çelik has disclosed yet another critical remote code execution (RCE) vulnerability in n8n, the popular open-source workflow…
Critical Flaws Exposed in zkLogin: Zero-Knowledge Proofs Can't Fix Broken Authentication
Brave Software researchers have disclosed critical vulnerabilities in zkLogin, a widely-deployed blockchain authentication system used across the Sui…
Credential-Stealing Flaw in Ivanti EPM Lets Hackers Waltz Past Authentication
Ivanti just patched a critical authentication bypass in its Endpoint Manager that hands attackers stored credentials on a silver platter—no login req…
Critical RCE Flaw in Popular Manga Translation Tool Exposes Thousands to Takeover
A critical security vulnerability in manga-image-translator, a widely used open-source OCR tool with over 9,300 GitHub stars, allows attackers to exe…
New Notepad Flaw That Lets Hackers Execute Code via Markdown Files
Microsoft patched a serious security hole in Windows Notepad this week that could allow attackers to remotely execute malicious code on victims' …
AI Discovers Critical Zero-Click Flaw Threatening 8,500 Enterprise Remote Access Systems
Thousands of organisations running BeyondTrust's remote access tools face immediate risk after an AI security system uncovered a critical pre-aut…
NGINX Servers Exposed: Response Injection Flaw Puts Millions of Web Applications at Risk
A newly disclosed vulnerability in NGINX web servers could allow attackers positioned between servers and upstream systems to manipulate data flowing…