LIVE · cybersecurity feed

vulnerability

zeroday.news · 3h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.

zeroday.news · 3h ago·critical

Attackers using Langflow flaw for credential harvesting (CVE-2026-55255)

CISA has issued a warning regarding a critical vulnerability (CVE-2026-55255) in the Langflow AI framework, which is being actively exploited by attackers. The flaw allows authenticated users to execute arbitrary flows belonging to other users, potentially leading to the theft of sensitive credentials and data exposure, especially in multi-tenant environments. US federal agencies have been mandated to patch this vulnerability by July 10th.

zeroday.news · 3h ago·high

Bug in top AI coding agents shows that Unix-era security headaches never really die

A vulnerability dubbed "GhostApproval" has been discovered in at least six popular AI coding assistants, allowing them to access files outside their designated workspaces and potentially execute remote code. The flaw exploits symbolic links, a long-standing security issue, to trick agents into writing malicious content, such as SSH keys, to sensitive system files. While some vendors have patched the issue and assigned CVEs, others have downplayed the risk or are yet to release fixes.

zeroday.news · 7h ago·high

CISA orders feds to prioritize patching Langflow auth bypass flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to prioritize patching a critical authentication bypass vulnerability within the Langflow AI agent framework. This directive comes as the flaw is reportedly being actively exploited.

zeroday.news · 9h ago·critical

Ubiquiti warns of new max severity UniFi OS vulnerability

Ubiquiti has issued updates to address seven critical vulnerabilities within its UniFi OS. Among these patched flaws is a command injection vulnerability rated at maximum severity.

zeroday.news · 10h ago·critical

CISA orders feds to patch max severity ColdFusion flaw by Friday

The Cybersecurity and Infrastructure Security Agency (CISA) has mandated that federal agencies address a maximum-severity Adobe ColdFusion vulnerability. This flaw is currently being actively exploited and requires patching by Friday.

zeroday.news · 11h ago·critical

15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros

Nebula Security has revealed GhostLock (CVE-2026-43499), a Linux kernel vulnerability present for 15 years. This flaw allows any logged-in user to achieve root privileges and container escape on unpatched systems, as it is included by default in most Linux distributions.

zeroday.news · 12h ago·high

CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV

CISA has incorporated four new vulnerabilities into its Known Exploited Vulnerabilities (KEV) catalog. These flaws, affecting products from Adobe, Joomla, and Langflow, are all currently under active exploitation.

zeroday.news · 21h ago·high

Dialogflow CX 'Rogue Agent' Flaw Enabled AI Chatbot Data Theft

Varonis identified a vulnerability in Google Dialogflow CX, dubbed the Rogue Agent flaw, which allowed for the theft of AI chatbot data. Google has since implemented a fix for this issue.

zeroday.news · 23h ago·high

Chinese hackers develop LONGLEASH malware to expand ORB network

Chinese state-sponsored hackers, identified as UAT-7810, have developed new malware named LONGLEASH. It is being used to expand their ORB network by compromising internet-facing devices, specifically targeting unpatched Ruckus routers.

zeroday.news · 1d ago·high

Hidden backdoor in Tenda router firmware grants admin access

A hidden backdoor has been discovered in multiple versions of Tenda router firmware. The hardcoded authentication backdoor allows unauthorized administrative access to the router web management panel.

zeroday.news · 1d ago·critical

Critical Gitea Flaw Under Active Exploitation, Researchers Warn

A critical vulnerability in Gitea, tracked as CVE-2026-20896, is being actively exploited. The flaw lets attackers bypass authentication with a single HTTP header to access repositories and secrets.

zeroday.news · 1d ago·high

Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots

A now-patched flaw in Google Dialogflow CX could have allowed chatbot hijacking. An attacker with edit rights on a single Code Block agent could compromise other agents in the same Google Cloud project and read live conversations.

zeroday.news · 1d ago·high

'GitLost' Flaw Leaks Private Data From GitHub's Agentic Workflows

A vulnerability dubbed GitLost leaks private data from GitHub Agentic Workflows. An unauthenticated attacker can craft a public GitHub Issue to silently exfiltrate data from private repositories.

zeroday.news · 1d ago·high

Public GitHub Issue Could Trick GitHub Agentic Workflows Into Leaking Private Repo Data

Noma Security demonstrated that a public GitHub Issue can trick GitHub Agentic Workflows into leaking private repository data. A seemingly innocuous issue on a public repo can be crafted to exfiltrate private contents.

zeroday.news · 1d ago·critical

Writer AI Flaw Could Let Agent Previews Leak Session Tokens Across Tenants

A now-patched critical session isolation flaw was found in the enterprise generative-AI platform Writer. It could have let agent previews leak session tokens, enabling cross-tenant compromise.

zeroday.news · 1d ago·critical

Critical Adobe ColdFusion Vulnerability Exploited in Attacks

A critical Adobe ColdFusion vulnerability, CVE-2026-48282 with a maximum CVSS score of 10, is being actively exploited in attacks. The flaw poses a severe risk to affected systems.

zeroday.news · 1d ago·critical

New Januscape Linux flaw allows VM escape on Intel, AMD devices

A newly identified Linux kernel vulnerability, dubbed Januscape, allows virtual machine escape on Intel and AMD systems. The 16-year-old flaw lets attackers break out of a VM and run code on the host.

zeroday.news · 1d ago·critical

Linux Kernel Vulnerability Allows VM Escape on Intel and AMD Systems

A recently discovered 16-year-old vulnerability in the Linux kernel's KVM hypervisor, dubbed Januscape, allows attackers to break out of a virtual machine. This flaw affects both Intel and AMD systems and could enable unauthorized code execution on the underlying host system.

zeroday.news · 1d ago·critical

BeyondTrust warns of critical flaws in remote access software

BeyondTrust has alerted users to two critical vulnerabilities affecting its Remote Support and Privileged Remote Access software. These security weaknesses could potentially enable attackers to circumvent authentication mechanisms.

zeroday.news · 1d ago·critical

BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA

BeyondTrust has issued patches for critical vulnerabilities in its Remote Support and Privileged Remote Access software. These flaws could permit unauthenticated attackers to gain unauthorized control over affected systems.

zeroday.news · 1d ago

CitrixBleed-ing Again? NetScaler Vulnerability Under Attack

Attackers wasted little time targeting the latest memory disclosure flaw in Citrix's NetScaler products, after researchers published a proof-of-concept exploit (PoC).

zeroday.news · 2d ago

16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems

A use-after-free bug in Linux's KVM hypervisor can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel that runs it. Dubbed 'Januscape' and tracked as CVE-2026-53359, the flaw sits in the shadow MMU

zeroday.news · 2d ago

JadePuffer: The First Complete LLM-Driven Ransomware Attack

An "agentic threat actor" successfully exploited a Langflow flaw to steal data from a production database server and encrypt other systems.

zeroday.news · 2d ago·critical

Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure

Threat actors have been observed attempting to exploit a recently patched critical security flaw in Gitea Docker images, according to Sysdig. The vulnerability in question is CVE-2026-20896 (CVSS score: 9.8), a vulnerability that stems from

zeroday.news · 2d ago

Opera GX Flaw Let Malicious Sites Auto-Install Mods to Steal Data From Visited Pages

Researchers found a flaw in Opera GX, the gaming-focused version of the Opera browser, that let a malicious website silently install a browser add-on and use it to lift specific data from the pages a victim visits. In a proof of concept, th

zeroday.news · 4d ago

Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices

Security firm runZero has disclosed seven vulnerabilities in FatFs, a small filesystem library that lets a device read and write the FAT and exFAT formats used on USB drives and SD cards. The flaws matter because FatFs is nearly everywhere.

zeroday.news · 4d ago

New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android

A newly disclosed Linux kernel flaw called Bad Epoll (CVE-2026-46242) lets an ordinary user with no special access take full control of a machine as root. It affects Linux desktops, servers, and Android, and a fix is out. Bad Epoll sits in

zeroday.news · 5d ago

Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access. "Although tactics differ between affiliates, common patterns emerged in t

zeroday.news · 6d ago

ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories

This week’s security news is mostly about weak spots. Browsers, bots, sandboxes, AI systems, and email flows all show the same problem in different ways. Everything looks normal until someone tests a small gap and finds a way through. This

zeroday.news · 6d ago

New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos

Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC, travels in Python proof-of-concept (PoC) repositories on GitHub that claim to exploit hot new

zeroday.news · 8d ago·critical

'Djinn' Stealer Targets Cloud, AI Credentials

The infostealer was delivered via CVE-2026-48558, a critical authentication bypass vulnerability in SimpleHelp, targeting credentials linking development and admin environments to wider enterprise systems.

zeroday.news · 8d ago·critical

Vulnerabilities Expose Private Data in Indian Government Systems

One critical vulnerability, among many discovered by a researcher, could have allowed anyone to walk in and take over a national government portal.

zeroday.news · 9d ago·high

Factoring RSA Keys with Many Zeros

Interesting research on a new class of weak RSA keys: keys with lots of zeros. It turns out that these keys are out in the wild. The badkeys project is an open-source service that checks public keys for known vulnerabilities. While developi

zeroday.news · 9d ago

Amazon Q VS Extension Flaw Leads to Cloud Credential Theft

Adversaries could plant a malicious repository that can execute arbitrary code and steal cloud credentials by exploiting the vulnerability, which showcases growing MCP risk.

zeroday.news · 12d ago·critical

In Less Than 24 Hours, Attackers Weaponize Cisco CUCM Flaw

A critical vulnerability affecting Cisco Unified CM and Unified CM SME deployments, which allows for server-side request forgery (SSRF) and root privilege escalation, was rapidly exploited by attackers. Threat actors weaponized the flaw within 24 hours of its public disclosure.

zeroday.news · 28d ago

Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities

Microsoft Patch Tuesday details for June 2026.

zeroday.news · 34d ago

Smashing Security podcast #470: This AI security flaw might be impossible to fix

A website called "UK visa portal" has been quietly collecting passport scans, selfies, and personal data from thousands of travellers who thought they were applying through official channels. They weren't. And when a journalist tried to war

zeroday.news · 41d ago

DICOM, Pydicom, GDCM, and Orthanc: A technical tour of what really happens in the heap

This white paper presents a concrete case study demonstrating the creation of a heap overflow vulnerability through the exploitation of the DICOM file format.

zeroday.news · 56d ago·critical

A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens

We recently published an exploit chain for the Google Pixel 9 that demonstrated it was possible to go from a zero-click context to root on Android in just two exploits. The Dolby 0-click vulnerability existed across all of Android, until it

zeroday.news · 105d ago·high

CVE-2026-33538: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. This issue has been patched in versions 8.6.58 and 9.6.0-alpha.52.

zeroday.news · 105d ago·medium

CVE-2026-33527: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. This issue has been patched in versions 8.6.57 and 9.6.0-alpha.48.

zeroday.news · 105d ago·high

CVE-2026-33508: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This issue has been patched in versions 8.6.56 and 9.6.0-alpha.45.

zeroday.news · 105d ago·high

CVE-2026-33498: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. This issue has been patched in versions 8.6.55 and 9.6.0-alpha.44.

zeroday.news · 105d ago·medium

CVE-2026-33429: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value. This issue has been patched in versions 8.6.54 and 9.6.0-alpha.43.

zeroday.news · 105d ago·medium

CVE-2026-33421: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields). Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This bypasses the intended read access control, allowing unauthorized access to potentially sensitive data that is correctly restricted via the REST API. This issue ha

zeroday.news · 105d ago·medium

CVE-2026-33417: Wallos is an open-source, self-hostable personal subscription tracker.

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp column, but the token validation logic never checks it. A password reset token remains valid indefinitely until it is used, allowing an attacker who intercepts a reset link at any point to use it days, weeks, or months later. This issue has been patched in version 4.7.2.

zeroday.news · 105d ago·critical

CVE-2026-33409: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token. This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false. This issue has been patched in versions 8.6.52 and 9.6.0-alpha.41.

zeroday.news · 105d ago·medium

CVE-2026-33323: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different redirect targets. The existing emailVerifySuccessOnInvalidEmail configuration option, which is enabled by default and protects the API route against this, did not apply to these routes. This issue has been patched in versions 8.6.51 and 9.6.0-alpha.40.

zeroday.news · 105d ago·high

CVE-2026-30932: Froxlor is open source server administration software.

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5.

zeroday.news · 105d ago

CVE-2026-2417: A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware ver

A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.

zeroday.news · 105d ago·medium

CVE-2026-29772: Astro is a web framework.

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected.

zeroday.news · 105d ago

CVE-2026-23924: Zabbix Agent 2 Docker plugin does not properly sanitize the 'docker.container_info' parameters when forwarding the

Zabbix Agent 2 Docker plugin does not properly sanitize the 'docker.container_info' parameters when forwarding them to the Docker daemon. An attacker capable of invoking Agent 2 can read arbitrary files from running Docker containers by injecting them via the Docker archive API.

zeroday.news · 105d ago

CVE-2026-23923: An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classe

An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.

zeroday.news · 105d ago

CVE-2026-23921: A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api

A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.

zeroday.news · 105d ago

CVE-2026-23920: Host and event action script input is validated with a regex (set by the administrator), but the validation runs i

Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.

zeroday.news · 105d ago

CVE-2026-23919: For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript

For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information <a href='https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe'>in Zabbix documentation</a>.

zeroday.news · 105d ago·high

CVE-2026-1995: IDrive’s id_service.exe process runs with elevated privileges and regularly reads from several files under the C:\P

IDrive’s id_service.exe process runs with elevated privileges and regularly reads from several files under the C:\ProgramData\IDrive\ directory. The UTF16-LE encoded contents of these files are used as arguments for starting a process, but they can be edited by any standard user logged into the system. An attacker can overwrite or edit the files to specify a path to an arbitrary executable, which will then be executed by the id_service.exe process with SYSTEM privileges.

zeroday.news · 105d ago·critical

CVE-2026-33407: Wallos is an open-source, self-hostable personal subscription tracker.

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on user-supplied search terms, which can be controlled by attackers to trigger outbound requests to arbitrary domains. This issue has been patched in version 4.7.0.

zeroday.news · 105d ago·medium

CVE-2026-33401: Wallos is an open-source, self-hostable personal subscription tracker.

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job. An authenticated user can reach internal network services, cloud metadata endpoints (AWS IMDSv1, GCP, Azure IMDS), or localhost-bound services by supplying a crafted URL to any of these endpoints. This issue has been patched in version 4.7.0.