Cyber Security
Application Security
Ghost CMS CVE-2026-26980 Exploited in ClickFix Campaign
Attackers exploited CVE-2026-26980 in Ghost CMS to compromise 700+ domains including Harvard and Oxford, turning them into ClickFix malware distribution points.
Application Security
Laravel Lang Supply Chain Attack Hijacks 700 Package Versions
Attackers rewrote git tags across four Laravel Lang packages to deploy a PHP credential stealer and Windows executable targeting developer machines and servers.
Application Security
Underminr Flaw Lets Attackers Hide C2 Traffic on 88M Domains
Researcher David Redekop of ADAMnetworks disclosed Underminr, a CDN flaw affecting 88 million domains that routes C2 traffic through trusted hostnames.
Application Security
Anthropic’s Project Glasswing Finds 10,000+ CVEs in One Month
Anthropic's Project Glasswing AI found 10,000+ high-severity CVEs in 1,000 open-source projects in one month, but only 97 patches were deployed upstream.
Application Security
LiteSpeed cPanel Plugin CVE-2026-48172 CVSS 10.0 Exploited
A CVSS 10.0 flaw in the LiteSpeed cPanel plugin lets any authenticated user execute arbitrary scripts as root, compromising all tenants on a shared host.
Cybersecurity
ShinyHunters Claims 42M Charter Records, Sets May 27 Deadline
ShinyHunters listed Charter Communications with 42 million claimed records and a May 27 dump deadline; Charter confirmed an investigation with authorities.
Cybersecurity
Netherlands Seizes 800 Stark Industries Servers, Arrests Two
Dutch FIOD agents seized 800 servers and arrested two at Stark Industries successor WorkTitans for violating EU sanctions tied to Russian cyber operations.
Cybersecurity
ShinyHunters Claims 260K Baker Distributing Salesforce Records
Baker Distributing Company was added to ShinyHunters' Salesforce extortion campaign with 260,000 CRM records exposed and a May 27 public leak deadline.
CVE Vulnerability Alerts
Ubiquiti Patches 3 Max-Severity UniFi OS Flaws, 100K Exposed
Ubiquiti patched three max-severity UniFi OS flaws enabling RCE and unauthorized file access across approximately 100,000 internet-exposed endpoints worldwide.
Application Security
Trump Mobile Exposes 27,000 Customer Records via Insecure API
Security researcher Louis found that Trump Mobile's HTTP POST API returned 27,000 customer records without any authorization check during the T1 phone launch.
Cybersecurity
Mysk: WhatsApp Stores Chats Unencrypted, Meta Apps Can Read Them
Mysk researchers found WhatsApp stores chat history unencrypted in a file accessible to Facebook and Instagram on iOS and macOS without user permission.
CVE Vulnerability Alerts
Wireshark 4.6.6 Patches ROHC Crash and MACsec Buffer Overflow
Wireshark 4.6.6 patches two dissector flaws — a ROHC crash bug and MACsec buffer overflow — that could let attackers crash analyst monitoring sessions.
Cybersecurity
FBI Warns Kali365 PhaaS Platform Bypasses Microsoft 365 MFA
The FBI warns Kali365, a PhaaS platform on Telegram, exploits Microsoft device code authentication to bypass MFA entirely and capture persistent OAuth tokens.
CVE Vulnerability Alerts
Lenovo BootRepair.sys Driver Exposes BYOVD Attack on CrowdStrike
Lenovo BootRepair.sys exposes IOCTL 0x222014, letting unprivileged BYOVD attackers terminate CrowdStrike Falcon at kernel level with no administrative rights.
Application Security
Splunk CVE-2026-20239 Logs Session Cookies in Plaintext
Splunk CVE-2026-20239 writes active session cookies to the _internal index in plaintext, exposing analyst tokens to any user or process reading that index.
Cybersecurity
DPRK npm Packages Use Hugging Face to Exfiltrate Developer Credentials
OX Security found DPRK-linked npm packages using postinstall hooks to deploy a keylogging infostealer that exfiltrates credentials via the Hugging Face API.
Cybersecurity
Deleted Google API Keys Stay Active for Up to 23 Minutes
Aikido Security found deleted Google API legacy keys stay functional up to 23 minutes after revocation, a significant window during active incident response.
Application Security
Chromium Service Worker PoC Exploit Published for 42-Month-Old Bug
Google published PoC exploit code for an unpatched 42-month Chromium Service Worker flaw enabling persistent JavaScript execution after the browser is closed.
Cybersecurity
Texas AG Sues Meta Over WhatsApp Encryption Claims
Texas AG Ken Paxton sued Meta and WhatsApp in May 2026, alleging the companies falsely claimed end-to-end encryption while retaining private message access.
Application Security
Banana RAT Hijacks Brazil Pix QR Codes via NF-e Lures
SHADOW-WATER-063 deploys Banana RAT via fraudulent Brazilian NF-e invoice lures, hijacking Pix QR codes to redirect instant payments to attacker-held accounts.
Application Security
Ghost CMS CVE-2026-26980 Exploited in ClickFix Campaign
TOP CYBERSECURITY HEADLINES
Application Security
Anthropic’s Project Glasswing Finds 10,000+ CVEs in One Month
Application Security
LiteSpeed cPanel Plugin CVE-2026-48172 CVSS 10.0 Exploited
This Week’s Security Spotlight
Application Security
Anthropic’s Project Glasswing Finds 10,000+ CVEs in One Month
Application Security
Trump Mobile Exposes 27,000 Customer Records via Insecure API
CVE Vulnerability Alerts
Cisco Secure Workload CVE-2026-20223 Earns CVSS 10.0
Trending
Daily Briefing Newsletter
Subscribe to the Daily Security Review Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Featured Videos
Podcasts
Cyber Security News
- All
- Application Security
- Blog
- CVE Vulnerability Alerts
- Cybersecurity
- Cybersecurity Newsletter
- Data Security
- Endpoint Security
- Identity and Access Management
- Information Security
- Network Security
- News
- Phishing
- Podcasts
- Product Reviews
- Ransomware
- Ransomware Victims
- Resources
- Security Spotlight
- Sponsored
- Threat Actors
- Threat Actors
- Threat Detection Tools
Anthropic’s Project Glasswing Finds 10,000+ CVEs in One Month
Anthropic's Project Glasswing AI found 10,000+ high-severity CVEs in 1,000 open-source projects in one month, but only 97 patches were deployed upstream.
LiteSpeed cPanel Plugin CVE-2026-48172 CVSS 10.0 Exploited
A CVSS 10.0 flaw in the LiteSpeed cPanel plugin lets any authenticated user execute arbitrary scripts as root, compromising all tenants on a shared host.
ShinyHunters Claims 42M Charter Records, Sets May 27 Deadline
ShinyHunters listed Charter Communications with 42 million claimed records and a May 27 dump deadline; Charter confirmed an investigation with authorities.
Netherlands Seizes 800 Stark Industries Servers, Arrests Two
Dutch FIOD agents seized 800 servers and arrested two at Stark Industries successor WorkTitans for violating EU sanctions tied to Russian cyber operations.
ShinyHunters Claims 260K Baker Distributing Salesforce Records
Baker Distributing Company was added to ShinyHunters' Salesforce extortion campaign with 260,000 CRM records exposed and a May 27 public leak deadline.
Ubiquiti Patches 3 Max-Severity UniFi OS Flaws, 100K Exposed
Ubiquiti patched three max-severity UniFi OS flaws enabling RCE and unauthorized file access across approximately 100,000 internet-exposed endpoints worldwide.
Trump Mobile Exposes 27,000 Customer Records via Insecure API
Security researcher Louis found that Trump Mobile's HTTP POST API returned 27,000 customer records without any authorization check during the T1 phone launch.
Mysk: WhatsApp Stores Chats Unencrypted, Meta Apps Can Read Them
Mysk researchers found WhatsApp stores chat history unencrypted in a file accessible to Facebook and Instagram on iOS and macOS without user permission.
Wireshark 4.6.6 Patches ROHC Crash and MACsec Buffer Overflow
Wireshark 4.6.6 patches two dissector flaws — a ROHC crash bug and MACsec buffer overflow — that could let attackers crash analyst monitoring sessions.
FBI Warns Kali365 PhaaS Platform Bypasses Microsoft 365 MFA
The FBI warns Kali365, a PhaaS platform on Telegram, exploits Microsoft device code authentication to bypass MFA entirely and capture persistent OAuth tokens.
Lenovo BootRepair.sys Driver Exposes BYOVD Attack on CrowdStrike
Lenovo BootRepair.sys exposes IOCTL 0x222014, letting unprivileged BYOVD attackers terminate CrowdStrike Falcon at kernel level with no administrative rights.
Splunk CVE-2026-20239 Logs Session Cookies in Plaintext
Splunk CVE-2026-20239 writes active session cookies to the _internal index in plaintext, exposing analyst tokens to any user or process reading that index.
DPRK npm Packages Use Hugging Face to Exfiltrate Developer Credentials
OX Security found DPRK-linked npm packages using postinstall hooks to deploy a keylogging infostealer that exfiltrates credentials via the Hugging Face API.
Deleted Google API Keys Stay Active for Up to 23 Minutes
Aikido Security found deleted Google API legacy keys stay functional up to 23 minutes after revocation, a significant window during active incident response.
Chromium Service Worker PoC Exploit Published for 42-Month-Old Bug
Google published PoC exploit code for an unpatched 42-month Chromium Service Worker flaw enabling persistent JavaScript execution after the browser is closed.
Texas AG Sues Meta Over WhatsApp Encryption Claims
Texas AG Ken Paxton sued Meta and WhatsApp in May 2026, alleging the companies falsely claimed end-to-end encryption while retaining private message access.
Banana RAT Hijacks Brazil Pix QR Codes via NF-e Lures
SHADOW-WATER-063 deploys Banana RAT via fraudulent Brazilian NF-e invoice lures, hijacking Pix QR codes to redirect instant payments to attacker-held accounts.
UNG0002 Hides Cobalt Strike in macOS Folder Structures
Seqrite Labs exposed UNG0002 hiding Cobalt Strike inside macOS-style nested folder structures to evade Windows scanners while targeting Changzhou University.
INJ3CTOR3 Deploys JOMANGY Webshell in FreePBX Campaign
CRIL documented INJ3CTOR3 deploying new JOMANGY webshell alongside a six-layer self-healing persistence mechanism against FreePBX VoIP systems for toll fraud.
Operation Dragon Whistle Uses VS Code Tunnels as C2
Operation Dragon Whistle abuses Visual Studio Code Remote Tunnels as a C2 channel, targeting Pakistani surveillance infrastructure and a Chinese university.