Security Articles

Stay ahead of emerging threats with expert analysis from 137 published security articles, vulnerability reports, and cybersecurity insights — updated daily with the latest CVEs, threat actor campaigns, and security advisories. As of Tuesday, June 9, 2026, the most urgent items for production stacks: the "Miasma" worm has detonated across 73 Microsoft-owned GitHub repositories in an npm supply-chain cascade — a software supply-chain attack means malicious code is planted in a trusted package your developers already install, so it spreads automatically into everything that depends on it — making any team that pulls JavaScript packages from npm a potential downstream victim; audit your dependencies and pin trusted versions now. The Cisco Catalyst SD-WAN Manager zero-day CVE-2026-20245 remains under active exploitation with no patch available yet — restrict management-interface access and watch Cisco's advisory for the fix. Cisco Unified Communications Manager flaw CVE-2026-20230 hands attackers root through a server-side request forgery (SSRF) bug — a server tricked into making attacker-controlled requests — and a working proof-of-concept exploit is already public, so patch now. The Mirasvit Cache Warmer bug CVE-2026-45247 is being used for active remote code execution (RCE — running attacker code on your server) against Magento e-commerce stores. Still carrying forward: the HTTP/2 "Bomb" CVE-2026-49975 lets a single home connection knock NGINX, Apache, IIS, and Cloudflare web servers offline; Palo Alto GlobalProtect authentication-bypass CVE-2026-0257 remains on the CISA Known Exploited Vulnerabilities (KEV) catalog under active exploitation; and the WP Maps Pro WordPress flaw CVE-2026-8732 is still spawning rogue administrator accounts across roughly 15,000 sites. If your business pulls npm packages, or runs Cisco SD-WAN or Unified CM, Magento, a public web server, Palo Alto GlobalProtect, or WordPress with WP Maps Pro, these advisories require action now — start with the article-level remediation steps below.

All Articles AdvisoryCyber AttackData BreachExploitMalwareThreat ActorVulnerability
Severity: All Critical High Medium Low
57 articles found
Featured Story
high
Jun 13, 2026
highCVE AdvisoryVulnerability

HIGH: Velvet Ant Backdoored Linux PAM and OpenSSH to Live in One Network for Nearly a Decade

Sygnia disclosed Operation Highland this week, a China-nexus campaign by the Velvet Ant cluster that compromised core Linux authentication on a victim network from 2016 through 2026. Nine variants of backdoored PAM modules and patched OpenSSH binaries delivered hardcoded magic-password access plus continuous credential and command logging. A parallel commodity tool called PamDOORa now sells for $900 on a Russian forum, putting the same authentication-layer tradecraft within reach of any ransomware affiliate with root.

By Danny MercerRead Full Article
high
CVE AdvisoryVulnerabilityJun 11, 2026

HIGH: Langflow Path Traversal CVE-2026-5027 Lets Unauthenticated Attackers Plant Code on Roughly 7,000 Exposed AI Servers

A path traversal flaw in Langflow's POST /api/v2/files endpoint allows unauthenticated attackers to write files anywhere the platform process can reach, opening a clean route to remote code execution on the roughly seven thousand exposed instances Censys is currently tracking. Tenable disclosed CVE-2026-5027 in late March, the maintainers shipped a fix in version 1.10.0 on June 10, and VulnCheck honeypots are catching exploitation right now. Patch immediately or pull the instance off the public internet.

Read more
high
CVE AdvisoryVulnerabilityJun 8, 2026

HIGH: Miasma Worm Detonates 73 Microsoft GitHub Repos in npm Supply Chain Cascade

GitHub disabled 73 repositories across four Microsoft organizations after the Miasma worm spread through 57 npm packages, including @vapi-ai/server-sdk and ai-sdk-ollama. The TeamPCP-linked variant of Mini Shai-Hulud uses a Phantom Gyp binding.gyp injection plus AI coding assistant rule files in Claude Code, Cursor, Gemini CLI, and VS Code to harvest AWS, GCP, Azure, Vault, and GitHub Actions credentials.

Read more
high
CVE AdvisoryVulnerabilityJun 7, 2026

HIGH: Cisco Unified Communications Manager SSRF Flaw Has a Public PoC and a Root-Level Punchline (CVE-2026-20230)

Cisco's June 3 advisory for CVE-2026-20230 details a critical-rated SSRF in the Unified Communications Manager WebDialer service, with a CVSS 8.6 base score and a public proof-of-concept already in circulation. An unauthenticated attacker on the network can write arbitrary files to the underlying OS and chain that into root. Cisco has released fixes in 14SU6 and an interim COP for the 15 line, with 15SU5 due in September 2026. Disabling WebDialer is the recommended interim mitigation.

Read more
high
CVE AdvisoryVulnerabilityJun 6, 2026

HIGH: Cisco Catalyst SD-WAN Manager Zero-Day Under Active Exploitation, No Patch Available (CVE-2026-20245)

Cisco confirmed active exploitation of CVE-2026-20245, an unpatched command injection flaw in Catalyst SD-WAN Manager that lets authenticated attackers escalate to root and push malicious configurations to edge devices. The CVSS 7.8 bug is the seventh exploited SD-WAN zero-day since 2023 and chains with two prior auth bypass vulnerabilities to enable full remote takeover. No patch is available.

Read more
high
CVE AdvisoryVulnerabilityJun 3, 2026

HIGH: HTTP/2 Bomb Vulnerability Lets a Home Connection Flatten NGINX, Apache, IIS, Envoy, and Cloudflare Pingora

A newly disclosed HTTP/2 vulnerability dubbed HTTP/2 Bomb lets a single client on a residential connection exhaust 32 gigabytes of server memory in under twenty seconds. The flaw, tracked as CVE-2026-49975 for Apache httpd, affects NGINX, Apache, Microsoft IIS, Envoy, and Cloudflare Pingora. NGINX and Apache shipped fixes. IIS, Envoy, and Pingora remain unpatched as of public disclosure on June 2, 2026.

Read more
high
CVE AdvisoryVulnerabilityMay 31, 2026

HIGH: Palo Alto GlobalProtect Auth Bypass (CVE-2026-0257) Actively Exploited, Now on CISA KEV

A GlobalProtect authentication override flaw in PAN-OS lets unauthenticated attackers forge session cookies and walk into the VPN. Rapid7 observed two waves of in the wild exploitation in May, CISA added the bug to the KEV catalog on May 29 with a June 1 federal deadline, and Palo Alto Networks has confirmed active exploitation against unpatched devices.

Read more
high
CVE AdvisoryVulnerabilityMay 28, 2026

HIGH: Iranian MuddyWater APT Hits Nine Countries With Signed-Binary DLL Side-Loading Through SentinelOne and Fortemedia

Symantec and Carbon Black detail a Q1 2026 MuddyWater espionage campaign that breached nine organisations across nine countries on four continents, abusing signed SentinelOne and Fortemedia binaries for DLL side-loading and deploying ChromElevator, a Node.js implant, and the FileFiend exfiltration tool. The Iranian MOIS-linked group is moving toward quieter, more disciplined operations.

Read more
high
CVE AdvisoryVulnerabilityMay 23, 2026

HIGH: Drupal Core SQL Injection CVE-2026-9082 Hits CISA KEV Days After Disclosure

Drupal disclosed SA-CORE-2026-004 (CVE-2026-9082), a Highly Critical SQL injection in the core database abstraction API that lets unauthenticated attackers escalate privileges and reach remote code execution on PostgreSQL-backed sites. Imperva is tracking 15,000+ attack attempts against nearly 6,000 sites across 65 countries. CISA added the bug to KEV on May 22 with a federal patch deadline of May 27, 2026.

Read more
high
CVE AdvisoryVulnerabilityMay 21, 2026

HIGH: Microsoft Defender Burns Again as Two New Zero-Days Hit Active Exploitation

Microsoft confirmed on May 21 that CVE-2026-41091, a CVSS 7.8 link-following privilege escalation in the Microsoft Malware Protection Engine, and CVE-2026-45498, a denial-of-service flaw in the Defender Antimalware Platform, are both under active exploitation. CISA added both to the KEV catalog with a June 3 federal remediation deadline. Defender engine version 1.1.26040.8 and Antimalware Platform 4.18.26040.7 contain the fixes and ship automatically through definition updates.

Read more
high
CVE AdvisoryVulnerabilityMay 20, 2026

HIGH: Microsoft Ships Mitigation for YellowKey BitLocker Bypass Zero-Day (CVE-2026-45585)

Microsoft published mitigation guidance for CVE-2026-45585, the YellowKey BitLocker bypass zero-day publicly disclosed by researcher Chaotic Eclipse last week. The flaw lives in the FsTx Auto Recovery Utility inside Windows Recovery Environment and lets anyone with physical access and a USB stick spawn an unrestricted shell with the BitLocker-protected volume already mounted. Windows 11 24H2, 25H2, 26H1 and Windows Server 2025 are affected.

Read more
high
CVE AdvisoryVulnerabilityMay 16, 2026

HIGH: Microsoft Exchange Server XSS Flaw CVE-2026-42897 Under Active Attack

Microsoft Exchange Server CVE-2026-42897 is a cross-site scripting flaw in Outlook Web Access that lets a crafted email execute JavaScript in the victim OWA session. CISA added it to the Known Exploited Vulnerabilities catalog on May 15, 2026 after confirmed in-the-wild exploitation, with a May 29 federal mitigation deadline. Exchange Server 2016, 2019, and Subscription Edition are affected. Exchange Online is not. Microsoft scored it CVSS 8.1, and patches shipped in the May 2026 security update.

Read more
high
CVE AdvisoryVulnerabilityMay 11, 2026

HIGH: Ivanti EPMM CVE-2026-6973 Under Active Exploitation, CISA Mandates 3-Day Federal Patch Deadline

Ivanti has confirmed in-the-wild exploitation of CVE-2026-6973, an authenticated remote code execution flaw in on-premises Endpoint Manager Mobile rated CVSS 7.2. CISA added the bug to its Known Exploited Vulnerabilities catalog on May 7 and gave federal agencies until May 10, 2026 to remediate. The exploitation pattern strongly suggests reuse of admin credentials harvested during the unauthenticated EPMM compromises disclosed in January 2026.

Read more
high
CVE AdvisoryVulnerabilityMay 9, 2026

Zara Joins the Anodot Casualty List as ShinyHunters Cashes In on Third-Party Trust

Inditex confirmed roughly 197,000 Zara customer records were exposed via Anodot, an Israeli AI analytics platform compromised by ShinyHunters. The crew used stolen authentication tokens to pivot into BigQuery instances of multiple downstream customers, hauling out 140GB from Zara alone. Email addresses, order IDs, SKUs, and support tickets leaked, but no payment data or passwords. The supply-chain pattern mirrors the 2024 Snowflake campaign.

Read more
high
CVE AdvisoryVulnerabilityMay 9, 2026

HIGH: 'Dirty Frag' Linux Kernel Bugs Hand Locals Root, One Half Already Patched, RxRPC Half Still Open (CVE-2026-43284, CVE-2026-43500)

Two Linux kernel page-cache write bugs collectively named Dirty Frag let any unprivileged local user pop a root shell in one command. CVE-2026-43284 in xfrm-ESP was patched May 8. CVE-2026-43500 in RxRPC is still unpatched. Microsoft has already seen active exploitation in the wild and a public proof-of-concept is on GitHub.

Read more

Is Your Mobile App Secure?

Our CyberOne MobileAssess platform performs deep static analysis, source code decompilation, and runtime security testing for iOS and Android apps. From one-time assessments to year-long continuous testing, we find what surface-level scanners miss.

Learn About Mobile Pen TestingMSP Partner Program
Page 1 of 3Next

Stay Informed

Subscribe to our newsletter and get the latest security insights delivered to your inbox.