Vulnerabilities
Two more plugin RCEs are under active exploitation: Everest Forms Pro CVE-2026-3300 (CVSS 9.8), a PHP-injection flaw Wordfence has blocked tens of thousands of times, and Magento's Mirasvit Cache Warmer CVE-2026-45247 (CVSS 9.8), now added to CISA's KEV catalog.
Vulnerabilities
A critical flaw in the Kirki WordPress plugin (CVE-2026-8206, CVSS 9.8) lets an unauthenticated attacker send any account's password-reset link — including an admin's — to their own email and seize it. Versions 6.0.0–6.0.6 are fixed in 6.0.7; BleepingComputer reports exploitation.
Account Takeover (ATO)
Dashlane now says the brute-force attack it disclosed on May 31 succeeded: by defeating 2FA on about 20 customer accounts, attackers downloaded copies of those users' encrypted password vaults. The vaults stay locked behind each user's master password, but affected users should rotate.
Artificial Intelligence (AI)
Attackers seized high-profile Instagram accounts by exploiting a 'confused deputy' flaw in Meta's AI support bot: they asked it to bind a new email, the bot sent the one-time code to the attacker, and the owner was locked out. Meta has pushed an emergency hotfix.
Vulnerabilities
CVE-2026-8732, a CVSS 9.8 flaw in the WP Maps Pro WordPress plugin, lets any unauthenticated attacker mint an administrator account on 15,000 affected sites. Wordfence blocked 2,858 exploitation attempts in a single 24-hour window. Patch is in v6.1.1.
Public Sector Security
A City Hall clerk in Alexandria, Tennessee caught a hacker using the town's Amazon account to order three cameras and an iPad. The detection was a person noticing — no security control fired. Thousands of US municipalities are in the same posture.
Cyber Attacks
Ukrainian police have arrested three individuals who systematically used stolen session cookies to access and sell more than 610,000 Roblox accounts, targeting profiles with accumulated in-game currency and rare items and reselling them through Russian criminal platforms for cryptocurrency. KYIV, UKRAINE — Ukrainian law enforcement has detained three suspects
Spyware
Italian-linked surveillance firm IPS Intelligence is tied to a new Android spyware, “Morpheus,” that tricks targets into installing a fake “update” app and then hijacks WhatsApp accounts using biometric-spoofing overlays. The case highlights how commercial spyware vendors are turning to mobile-phishing tactics to deploy powerful snooping tools.
Cyber Attacks
A “mobile SMS blaster” deployed from vehicles in Toronto mimicked cell towers, hijacked tens of thousands of phones, and caused 13 million network disruptions—temporarily blocking 911 access while sending massive volumes of fraudulent texts under Project Lighthouse. TORONTO, ONTARIO — In a first-of-its-kind cybercrime investigation in Canada,
Identity Theft
A highly sophisticated phishing operation is utilizing hyper-personalized "copyright strike" warnings to bypass security instincts and seize full control of Google accounts and YouTube channels. MOUNTAIN VIEW, CA — A new and alarmingly convincing phishing campaign is currently targeting YouTube creators, leveraging their greatest fear: the sudden loss
Data Breaches
The world’s largest cryptocurrency ATM operator has confirmed a security incident involving its corporate hot wallets, leading to the unauthorized transfer of 50.9 Bitcoin. ATLANTA — Bitcoin Depot, the leading provider of cryptocurrency ATMs globally, has disclosed a significant security breach that occurred earlier this week. According to corporate
Data Breaches
A major vulnerability in a prominent companion AI platform has led to the public exposure of sensitive prompts and account identifiers, highlighting the privacy risks of generative AI data retention. SAN FRANCISCO — Security researchers have confirmed a significant data breach at MyLovely.ai, a popular "AI companion" platform.