Vulnerabilities
A critical authentication vulnerability in cPanel and WebHost Manager allowed attackers to access hosting control panels without valid credentials — and exploits were confirmed in the wild before the emergency patch was released on April 28, 2026. HOUSTON, TX — cPanel has issued an emergency security update to address a critical flaw
Vulnerabilities
A pro-Ukrainian hacktivist group called PhantomCore has been exploiting three TrueConf video conferencing flaws (BDU-2025-10114, 10115, 10116) since September 2025 to breach Russian networks. By chaining these vulnerabilities, the group bypasses authentication and executes arbitrary OS commands, turning video conferencing servers into springboards for lateral movement and data harvesting. ST.
Vulnerabilities
Microsoft has patched a serious Entra ID (Azure AD) misconfiguration that exposed an “agent-only” role for Microsoft Graph PowerShell that was not properly restricted to Microsoft’s own internal agents. Attackers who obtained secrets for a service-principal-linked app registration could exploit this role to escalate privileges and pivot to long-term
Vulnerabilities
A stored cross-site scripting flaw in Zimbra Collaboration Suite (CVE-2025-48700) is now being exploited in the wild against more than 10,000 exposed servers worldwide, prompting CISA to add the bug to its Known Exploited Vulnerabilities catalog and order U.S. federal agencies to patch within three days. GLOBAL — For
Vulnerabilities
A newly-disclosed Server-Side Request Forgery flaw in the LMDeploy LLM inference-serving toolkit is already under active exploitation, with attackers using a vision-language-module endpoint as an SSRF primitive to probe AWS IMDS, internal databases, and admin planes within minutes of patch availability. SHANGHAI, CHINA — The window between a vulnerability disclosure and
Vulnerabilities
Security researchers at Kaspersky have uncovered PhantomRPC, an architectural-level vulnerability in Windows Remote Procedure Call that lets attackers deploy a fake RPC server and escalate privileges from low-privileged contexts to SYSTEM or Administrator — without requiring a classic memory-corruption bug. SINGAPORE — In the world of Windows exploitation, attackers usually hunt for
Vulnerabilities
A file-upload bug in the Breeze Cache plugin is under active exploitation, but only sites with the optional “Host Files Locally – Gravatars” feature enabled appear exposed. The issue highlights how a niche plugin setting can create outsized risk across a large WordPress install base. VALENCIA, SPAIN — Threat actors have begun
Vulnerabilities
A 12-year-old TOCTOU bug in the Linux PackageKit daemon, now dubbed Pack2TheRoot (CVE-2026-41651), allows local users to silently install system packages and escalate to full root on many default-install Linux desktops and servers. BONN, GERMANY — Security researchers from Deutsche Telekom’s Red Team have disclosed a high-severity local privilege escalation
Vulnerabilities
Microsoft Defender LPE (CVE-2026-33825) added to KEV catalog after Huntress confirms wild exploitation; 2 related zero-days remain unpatched. WASHINGTON, D.C. — The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent mandate for all Federal Civilian Executive Branch (FCEB) agencies to patch a high-severity Microsoft Defender zero-day. The vulnerability,
Vulnerabilities
iOS 18.7.8 fixes a notification retention flaw after the FBI used Cellebrite to extract cached Signal message previews from deleted iPhone apps in a high-profile Texas criminal case. CUPERTINO, CA — Apple has released a critical out-of-band security update — iOS 18.7.8 and iPadOS 26.4.2 — to
Vulnerabilities
Oracle has released its massive April 2026 Critical Patch Update (CPU), addressing 450 security flaws across its global product suite, including critical vulnerabilities that allow for unauthorized remote code execution. Austin, TX — Oracle Corporation has issued its quarterly security offensive, releasing a comprehensive set of patches to address hundreds of
Vulnerabilities
The European Commission’s flagship age-verification tool, touted as a secure solution for protecting minors online, has faced a disastrous rollout after independent researchers bypassed its core security features in under 120 seconds. Brussels, Belgium — The European Union’s ambition to set a global standard for online safety has been