Vulnerabilities
Researcher RyotaK of GMO Flatt Security found a flaw in Anthropic's Claude Code GitHub Action that let a single opened issue take over public repos running it. Anthropic fixed it within days (v1.0.94) and paid a bounty; the durable lesson is product-agnostic.
Artificial Intelligence
Anthropic is extending Project Glasswing — which uses its Claude Mythos model to find software flaws — to about 150 more organizations in 15-plus countries, most of them critical-infrastructure operators a major attack could each affect, the company estimates, 100 million-plus people.
Vulnerabilities
A critical flaw in the Kirki WordPress plugin (CVE-2026-8206, CVSS 9.8) lets an unauthenticated attacker send any account's password-reset link — including an admin's — to their own email and seize it. Versions 6.0.0–6.0.6 are fixed in 6.0.7; BleepingComputer reports exploitation.
Cybersecurity 101
A clear guide to patch management — why it matters, the step-by-step process, the types of patches, common challenges, and proven best practices.
Vulnerabilities
CISA added CVE-2024-21182 — an unauthenticated Oracle WebLogic flaw patched in July 2024 — to its Known Exploited Vulnerabilities catalog on evidence of active exploitation. Despite 'RCE' framing elsewhere, CISA describes unauthorized access to WebLogic data; agencies must patch by June 4.
Vulnerabilities
Google's June 2026 Android update fixes CVE-2025-48595, an Android Framework integer overflow that Google says may be under limited, targeted exploitation. Because the Framework is the API layer every app touches, the flaw can hand an attacker complete control of an unpatched device.
Mobile Security
A single debug setting left enabled in Microsoft's Android Office apps — Word, Excel, PowerPoint, OneNote, Loop and Microsoft 365 Copilot — let any other app on the same device read Microsoft account tokens, per a SecurityWeek exclusive. Microsoft has patched the flaws.
Cybersecurity 101
The three "zero-day" terms explained — vulnerability, exploit, and attack — how they connect on a timeline, why they are dangerous, and how to defend.
Vulnerabilities
Belgium's national cybersecurity authority warned on May 29 that CVE-2026-41089, a critical pre-auth buffer-overflow RCE in Windows Netlogon, is now being exploited against unpatched domain controllers. Microsoft patched the flaw in its May 12 Patch Tuesday release.
Vulnerabilities
CVE-2026-8732, a CVSS 9.8 flaw in the WP Maps Pro WordPress plugin, lets any unauthenticated attacker mint an administrator account on 15,000 affected sites. Wordfence blocked 2,858 exploitation attempts in a single 24-hour window. Patch is in v6.1.1.
Vulnerabilities
Rapid7's Stephen Fewer disclosed CVE-2026-0826 on June 1 — an unauthenticated stack-based overflow in HP Poly VVX and Trio enterprise VoIP phones with a CVSSv4 of 9.2 — alongside HP firmware fixes released the same morning after a five-month coordinated disclosure cycle.
Cybersecurity 101
A clear guide to exploits — what they are, how they differ from vulnerabilities, how they work, the common types, and how to defend against them.