Follow Cyber Kendra on Google News! | WhatsApp | Telegram

Add as a preferred source on Google
Vulnerability

Researchers Turn Claude Code and Codex Into Malware Launchers With a Poisoned README

Ask an AI coding agent to review an open-source library for security flaws, and it might just run the malware hiding inside it instead. That's th…

15-Year-Old Linux Kernel Bug 'GhostLock' Lets Any Local User Seize Root, Break Out of Containers

A privilege-escalation flaw that has quietly sat inside the Linux kernel since 2011 has finally been exposed — and it hands root access to any unpriv…

Critical Unpatched Flaw in CyberPanel Lets Any User Seize Root on the Server

A newly disclosed zero-day in CyberPanel — one of the most widely deployed open-source hosting control panels — allows any authenticated user, even o…

One Malicious Link, Full Root Access — Nebula Security Demos the World's First Android 17 Exploit Chain

Clicking an unknown link has always been risky advice, but a new exploit published today makes the danger more visceral than ever. YC-backed security…

CVE-2026-55200 — Critical libssh2 Flaw Enables Zero-Auth RCE

A critical security flaw in libssh2 — the SSH library silently embedded in curl, backup utilities, and IoT firmware worldwide — lets unauthenticated …

Squidbleed: 1997 Squid Proxy Bug Leaks HTTP Credentials

Security researchers have uncovered a nearly three-decade-old vulnerability in Squid Proxy that lets anyone sharing the same proxy silently steal oth…

OpenAI's Codex AI Discovers "HTTP/2 Bomb" That Can Crash Major Web Servers in Seconds

An AI model just found a decade-old attack that human security researchers somehow missed — and it works against almost every major web server on the…

An AI Security Tool Dug Up a 2-Year-Old Redis Bug That Lets Attackers Take Over Servers

A flaw that sat undetected in Redis for over two years — silently present in every stable release since version 7.2.0 — has been patched after an AI-…

A Forged Kernel Key and a Rootful Helper: Inside the CIFSwitch Linux Privilege Escalation

A security researcher has disclosed a Linux local privilege escalation — dubbed CIFSwitch — that lets any unprivileged user silently escalate to roo…

BadHost (CVE-2026-48710): One Rogue Header Line Unlocks Your Entire AI Stack

A single, malformed HTTP header is all it takes to walk past the front door of thousands of Python-powered AI applications — no credentials, no token…

LiteSpeed cPanel Plugin Flaw Lets Any Shared Hosting User Take Over the Entire Server

A critical privilege escalation bug in LiteSpeed's user-end cPanel plugin — now confirmed as actively exploited in the wild — can hand any ordina…

NGINX Hit by Second Unauthenticated RCE —'nginx-poolslip'

F5 has rushed out a security advisory for a second critical heap overflow vulnerability in NGINX's URL rewriting engine this month — and this one…

Trend Micro's Own Security Tool Turned Against Enterprises — Apex One Zero-Day Actively Exploited

The endpoint security software meant to protect enterprise networks from attackers has itself become a target. Trend Micro has patched a zero-day vul…

Windows Kernel Bug Breaks Every Browser Sandbox — And It Almost Stayed Secret Until Pwn2Own

A security researcher prepared a devastating Windows kernel exploit for Pwn2Own Berlin 2026 — then had to watch it go public days before the contest …

PostgreSQL Patches 11 Security Flaws, Including Code Execution and a Sneaky Password-Stealing Timing Attack

The world's most popular open-source database just dropped its biggest security update of the year — and if you haven't patched yet, attacker…

Composer Bug Silently Dumped GitHub Tokens Into CI Logs — Patch Now

Millions of PHP developers who rely on Composer for dependency management were silently exposed to a token-leaking vulnerability this week — one that…

Exim Mail Server Has a Critical Unauthenticated RCE — And an AI Helped Build the Exploit

A critical security vulnerability in Exim — the mail server software running on roughly half of all internet-facing email servers — allows a remote a…

Dirty Frag — No Patch, No Warning — Root Access on Every Major Linux Distro

Discovered by Korean security researcher Hyunwoo Kim, Dirty Frag chains two separate kernel vulnerabilities to hand any local user a root shell on vi…

Palo Alto PAN-OS Zero-Day Under Active Attack — No Patch Available Yet

Attackers are already exploiting a critical zero-day vulnerability in Palo Alto Networks' PAN-OS, the operating system powering the company's…

CVE-2026-41940: cPanel Authentication Bypass Was Already Being Exploited Before the Patch Even Dropped

On April 28, 2026, cPanel pushed an emergency security update for what it described as a vulnerability affecting "various authentication paths&…