Cybersecurity writer and analyst. Covering breaches, threats, and vulnerabilities — analysis beyond the headline.
Vulnerabilities
Cisco patched CVE-2026-20230, an unauthenticated server-side request forgery flaw in Unified Communications Manager that lets a network attacker write files and escalate to root. Public proof-of-concept code is already out; Cisco's PSIRT reports no in-the-wild exploitation yet.
Vulnerabilities
Two vulnerabilities disclosed this cycle were found by AI tooling: HTTP/2 Bomb (CVE-2026-49975), a remote DoS that crashes NGINX, Apache, IIS, Envoy and Cloudflare Pingora in default config, and CVE-2026-23479, a two-year-old authenticated RCE in Redis.
Vulnerabilities
Researcher Ammar Askar disclosed a one-click attack via VS Code's GitHub.dev that steals a GitHub OAuth token with read-write access to private repos. He published the PoC with about an hour's notice, blaming Microsoft's disclosure process.
Artificial Intelligence (AI)
SafeBreach researchers found that a single poisoned notification — from WhatsApp, Slack or SMS — could hijack Google Gemini's voice assistant on Android with no malicious app installed, reaching smart-home controls and poisoning the assistant's long-term memory. Google has patched it.
Vulnerabilities
Two more plugin RCEs are under active exploitation: Everest Forms Pro CVE-2026-3300 (CVSS 9.8), a PHP-injection flaw Wordfence has blocked tens of thousands of times, and Magento's Mirasvit Cache Warmer CVE-2026-45247 (CVSS 9.8), now added to CISA's KEV catalog.
Nation-State Cyber Threats
A joint Five Eyes advisory warns that Chinese intelligence officers, posing as recruiters and consultants for front companies, are using LinkedIn, Indeed and Upwork to recruit government, military and cleared personnel — and anyone with access to classified or privileged information.
Critical Infrastructure
CISA, the FBI, NSA, Department of Energy and other US agencies warn that hackers are targeting internet-exposed automatic tank gauge (ATG) systems that monitor fuel storage, modifying device settings via command execution. The fix: get them off the public internet.
Data Breaches
The UN World Food Programme says its self-registration application for Palestine was breached, exposing names, ID and mobile numbers and location data for roughly 600,000 Gaza households — potentially the largest-known breach of humanitarian beneficiary data to date.
Vulnerabilities
Researcher RyotaK of GMO Flatt Security found a flaw in Anthropic's Claude Code GitHub Action that let a single opened issue take over public repos running it. Anthropic fixed it within days (v1.0.94) and paid a bounty; the durable lesson is product-agnostic.
CVE Watch
Microsoft shipped its first zero-day-free Patch Tuesday since June 2024 — but the month's real action was elsewhere: a CISA Emergency Directive for Cisco SD-WAN, exploited PAN-OS flaws, and a Drupal core SQL-injection, all under active attack.
Cybersecurity 101
A clear guide to incident response plans — what they are, why every organization needs one, what they should contain, and how to build, test, and maintain one.
Policy & Government
The Pentagon's top cyber official, Katherine Sutton, says the Defense Department must pull cyber 'out of its silo' and build it into every operation from day one — and must bake security into the AI tools it adopts, rather than treating it as an afterthought.