Cybersecurity 101
Common Types of Software Vulnerabilities
A clear guide to the common types of software vulnerabilities — from memory and injection flaws to broken authentication, access control, and misconfigurations.
Vulnerabilities
Flowise RCE CVE-2026-40933 Has Public Exploit Code — One-Click Chatflow Import Owns Servers
Obsidian Security published proof-of-concept code on May 30, 2026 for CVE-2026-40933, a CVSS 10.0 remote code execution flaw in Flowise. A malicious chatflow import owns the server. Patch 3.1.0 contains the fix.
Vulnerabilities
Palo Alto GlobalProtect Auth Bypass CVE-2026-0257 Is Now Under Active Exploitation
Palo Alto Networks has confirmed that attackers are actively exploiting CVE-2026-0257, an authentication-bypass flaw in PAN-OS GlobalProtect that lets them set up VPN sessions on internet-facing firewalls with no credentials. Rapid7 has observed successful intrusions.
Vulnerabilities
CIFSwitch Hands Out Root on Multiple Linux Distros via a Forged CIFS Auth Key
A new Linux kernel LPE called CIFSwitch lets unprivileged local users forge a cifs.spnego key description and hijack the kernel key-request mechanism, getting cifs.upcall to run attacker-controlled NSS code as root. PoC is public; CVE assignment is pending.
Cybersecurity 101
What Is a Vulnerability in Cybersecurity?
A clear guide to security vulnerabilities — what they are, the common types, how they are discovered and tracked with CVE and CVSS, and how they are managed.
Vulnerabilities
FortiClient EMS CVE-2026-35616 Is Now Pushing the EKZ Credential Stealer, Arctic Wolf Says
Arctic Wolf says threat actors are exploiting the patched FortiClient EMS flaw CVE-2026-35616 to deploy EKZ, a previously unreported credential stealer disguised as a Fortinet endpoint update and pushed across managed endpoints through the EMS management pathway itself.
Vulnerabilities
Chaotic Eclipse Pledges July 14 'Bone-Shattering' Windows Exploit Drop as Microsoft Escalates
The researcher behind a six-week run of uncoordinated Microsoft zero-day disclosures pledged a July 14, 2026 'bone-shattering' Windows exploit drop. Microsoft signaled law-enforcement action and pulled the researcher's GitHub account. Both sides have hardened.
Vulnerabilities
Rapid7 Finds Unpatched Argument-Injection RCE in Gogs — Any Authenticated User Owns the Server
Rapid7 Labs disclosed an unpatched CVSSv4 9.4 argument-injection (CWE-88) flaw in Gogs that lets any authenticated user achieve remote code execution by injecting --exec into git rebase via a malicious branch name. The second critical self-hosted-Git flaw in one week.
Vulnerabilities
Microsoft Condemns Uncoordinated Zero-Day Disclosures, Says Customers at 'Unnecessary Risk'
Microsoft's MSRC publicly condemned a six-flaw run of uncoordinated zero-day disclosures, saying the leaks put customers at 'unnecessary risk.' It's a position shift after six weeks of researcher disclosures that forced emergency response. The story is the tension itself.
Vulnerabilities
Gitea CVE-2026-27771 Lets Anyone on the Internet Pull Your Private Container Images
Gitea disclosed CVE-2026-27771, a registry authorization flaw that lets unauthenticated attackers pull private container images from any self-hosted Gitea below 1.26.2. It collapses the security premise of self-hosting: keeping images off public registries.
Vulnerabilities
KnowledgeDeliver Zero-Day CVE-2026-5426 Dropped Godzilla Web Shell and Cobalt Strike
Google's Threat Intelligence Group caught attackers exploiting CVE-2026-5426, a hardcoded ASP.NET machineKey in Digital Knowledge's KnowledgeDeliver LMS, to forge ViewState payloads, drop the Godzilla web shell, and stage Cobalt Strike Beacon. The patch alone is not enough.
Vulnerabilities
Microsoft Patches CVE-2026-45659 — a SharePoint RCE Any Site Member Can Trigger
Microsoft patched CVE-2026-45659, a CVSS 8.8 deserialization RCE in SharePoint Server. The 'authenticated' precondition is barely a precondition — any account with Site Member, the lowest SharePoint role, can trigger it. Patch this week.