CISA and Partners Warn Hackers Are Targeting Fuel-Tank Monitoring Systems

CISA, the FBI, NSA, Department of Energy and other US agencies warn that hackers are targeting internet-exposed automatic tank gauge (ATG) systems that monitor fuel storage, modifying device settings via command execution. The fix: get them off the public internet.

Five Eyes: China Is Using LinkedIn and Job Sites to Recruit Insiders

A joint Five Eyes advisory warns that Chinese intelligence officers, posing as recruiters and consultants for front companies, are using LinkedIn, Indeed and Upwork to recruit government, military and cleared personnel — and anyone with access to classified or privileged information.

WordPress and Magento Plugin RCE Keeps Coming: Everest Forms Exploited, Mirasvit Added to KEV

Two more plugin RCEs are under active exploitation: Everest Forms Pro CVE-2026-3300 (CVSS 9.8), a PHP-injection flaw Wordfence has blocked tens of thousands of times, and Magento's Mirasvit Cache Warmer CVE-2026-45247 (CVSS 9.8), now added to CISA's KEV catalog.

A Poisoned Notification Can Hijack Google Gemini's Voice Assistant on Android

SafeBreach researchers found that a single poisoned notification — from WhatsApp, Slack or SMS — could hijack Google Gemini's voice assistant on Android with no malicious app installed, reaching smart-home controls and poisoning the assistant's long-term memory. Google has patched it.

One Click in VS Code Steals Your GitHub Token — the Researcher Skipped Coordinated Disclosure

Researcher Ammar Askar disclosed a one-click attack via VS Code's GitHub.dev that steals a GitHub OAuth token with read-write access to private repos. He published the PoC with about an hour's notice, blaming Microsoft's disclosure process.

The Bugs AI Found This Week: an HTTP/2 'Bomb' and a Two-Year-Old Redis RCE

Two vulnerabilities disclosed this cycle were found by AI tooling: HTTP/2 Bomb (CVE-2026-49975), a remote DoS that crashes NGINX, Apache, IIS, Envoy and Cloudflare Pingora in default config, and CVE-2026-23479, a two-year-old authenticated RCE in Redis.

Cisco Unified CM CVE-2026-20230: A Public PoC for an Unauthenticated SSRF That Climbs to Root

Cisco patched CVE-2026-20230, an unauthenticated server-side request forgery flaw in Unified Communications Manager that lets a network attacker write files and escalate to root. Public proof-of-concept code is already out; Cisco's PSIRT reports no in-the-wild exploitation yet.

The Top CVEs of May 2026: Edge Devices Under Active Attack While Patch Tuesday Goes Quiet

Microsoft shipped its first zero-day-free Patch Tuesday since June 2024 — but the month's real action was elsewhere: a CISA Emergency Directive for Cisco SD-WAN, exploited PAN-OS flaws, and a Drupal core SQL-injection, all under active attack.

What Is an Incident Response Plan?

A clear guide to incident response plans — what they are, why every organization needs one, what they should contain, and how to build, test, and maintain one.

Pentagon's Top Cyber Official Wants Cyber in Every Operation — and Security Built Into AI From Day One

The Pentagon's top cyber official, Katherine Sutton, says the Defense Department must pull cyber 'out of its silo' and build it into every operation from day one — and must bake security into the AI tools it adopts, rather than treating it as an afterthought.

Trump Signs a Scaled-Back AI Executive Order Built Around Sharing AI-Found Vulnerabilities With Critical Infrastructure

Trump signed an executive order on June 2 setting up a voluntary framework for the government to vet 'covered frontier' AI models for up to 30 days before release and to share AI-found vulnerabilities with critical-infrastructure operators — notably narrower than an earlier draft.

Anthropic Expands Project Glasswing to About 150 Critical-Infrastructure Organizations Across 15+ Countries

Anthropic is extending Project Glasswing — which uses its Claude Mythos model to find software flaws — to about 150 more organizations in 15-plus countries, most of them critical-infrastructure operators a major attack could each affect, the company estimates, 100 million-plus people.