A malicious npm package named codexui-android harvested OpenAI Codex authentication tokens from developers at roughly 29,000 weekly downloads before removal.
An unauthenticated privilege escalation flaw in WP Maps Pro, a WordPress plugin with 15,000 paid sites, is actively exploited to
Public exploit code for CVE-2026-40933 now targets Flowise, a self-hosted AI chatflow builder, via a one-click malicious import that executes
Microsoft attributed 14 malicious npm packages impersonating OpenSearch and Elasticsearch to a single threat actor who stole AWS credentials and
A CVSS 9.4 argument injection zero-day in Gogs lets any authenticated user achieve RCE on internet-exposed servers. No patch exists
Public exploit code for CVE-2026-40933 now targets Flowise, a self-hosted AI chatflow builder, via a one-click malicious import that executes
CIFSwitch is a 19-year-old Linux kernel privilege escalation flaw with a public PoC that enables root access on Ubuntu, RHEL,
A CVSS 9.4 argument injection zero-day in Gogs lets any authenticated user achieve RCE on internet-exposed servers. No patch exists
Microsoft attributed 14 malicious npm packages impersonating OpenSearch and Elasticsearch to a single threat actor who stole AWS credentials and
Attackers exploited CVE-2026-26980 in Ghost CMS to compromise 700+ domains including Harvard and Oxford, turning them into ClickFix malware distribution
Subscribe to the Daily Security Review Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.