Anthropic’s Project Glasswing Finds 10,000+ CVEs in One Month
May 25, 2026
Anthropic’s Project Glasswing AI found 10,000+ high-severity CVEs in 1,000 open-source projects in one month, but only 97 patches were
Security Spotlight
Anthropic’s Project Glasswing Finds 10,000+ CVEs in One Month
Anthropic's Project Glasswing AI found 10,000+ high-severity CVEs in 1,000 open-source projects in one month, but only 97 patches were deployed upstream.
Trump Mobile Exposes 27,000 Customer Records via Insecure API
Security researcher Louis found that Trump Mobile's HTTP POST API returned 27,000 customer records without any authorization check during the T1 phone launch.
Cisco Secure Workload CVE-2026-20223 Earns CVSS 10.0
CVE-2026-20223 lets unauthenticated remote attackers gain full Site Admin access to Cisco Secure Workload; no credentials or user interaction are required.
NYC Health + Hospitals Breach Exposes 1.8M Patients’ Fingerprints
Hackers spent 77 days inside NYC Health + Hospitals via a vendor breach, stealing fingerprints, medical records, and SSNs from 1.8 million patients.
Anthropic Silently Fixed Claude Code Null-Byte Sandbox Escape
A null-byte sandbox bypass in Claude Code allowed credential exfiltration via prompt injection, present from October 2025 until Anthropic's silent March patch.
CVE-2026-3102: ExifTool Image Injection Runs Shell Commands on macOS
CVE-2026-3102 in ExifTool's SetMacOSTags lets a crafted image execute shell commands on macOS; the flaw is patched in ExifTool 13.50 after Kaspersky disclosure.
SonicWall Gen6 MFA Bypass CVE-2024-12802 Left Open by Incomplete Patch
SonicWall's patch for CVE-2024-12802 needed a manual LDAP reconfiguration most admins skipped, leaving Gen6 VPN open to MFA bypass and ransomware access.
Drupal Issues Highly Critical Patch, Exploits Expected Within Hours
Drupal warned a highly critical vulnerability in versions 11.3.x through 10.5.x could be exploited within hours of its May 20, 2026 patch release date.
Tycoon2FA Adds Device-Code Attack to Bypass Microsoft 365 MFA
Tycoon2FA's latest update adds device-code phishing that hands attackers a valid Microsoft 365 OAuth token without requiring the victim's password or MFA code.
SAP S/4HANA SQL Injection CVE-2026-34260 Rated CVSS 9.6
SAP's May 2026 Security Patch Day fixes CVE-2026-34260, a CVSS 9.6 SQL injection in S/4HANA Enterprise Search that lets authenticated attackers read or delete ERP ...
Trump Mobile Exposes 27,000 Customer Records via Insecure API
May 25, 2026
Security researcher Louis found that Trump Mobile’s HTTP POST API returned 27,000 customer records without any authorization check during the
Cisco Secure Workload CVE-2026-20223 Earns CVSS 10.0
May 22, 2026
CVE-2026-20223 lets unauthenticated remote attackers gain full Site Admin access to Cisco Secure Workload; no credentials or user interaction are
NYC Health + Hospitals Breach Exposes 1.8M Patients’ Fingerprints
May 21, 2026
Hackers spent 77 days inside NYC Health + Hospitals via a vendor breach, stealing fingerprints, medical records, and SSNs from
Anthropic Silently Fixed Claude Code Null-Byte Sandbox Escape
May 21, 2026
A null-byte sandbox bypass in Claude Code allowed credential exfiltration via prompt injection, present from October 2025 until Anthropic’s silent
CVE-2026-3102: ExifTool Image Injection Runs Shell Commands on macOS
May 21, 2026
CVE-2026-3102 in ExifTool’s SetMacOSTags lets a crafted image execute shell commands on macOS; the flaw is patched in ExifTool 13.50
SonicWall Gen6 MFA Bypass CVE-2024-12802 Left Open by Incomplete Patch
May 21, 2026
SonicWall’s patch for CVE-2024-12802 needed a manual LDAP reconfiguration most admins skipped, leaving Gen6 VPN open to MFA bypass and
Drupal Issues Highly Critical Patch, Exploits Expected Within Hours
May 20, 2026
Drupal warned a highly critical vulnerability in versions 11.3.x through 10.5.x could be exploited within hours of its May 20,
Tycoon2FA Adds Device-Code Attack to Bypass Microsoft 365 MFA
May 19, 2026
Tycoon2FA’s latest update adds device-code phishing that hands attackers a valid Microsoft 365 OAuth token without requiring the victim’s password
SAP S/4HANA SQL Injection CVE-2026-34260 Rated CVSS 9.6
May 13, 2026
SAP’s May 2026 Security Patch Day fixes CVE-2026-34260, a CVSS 9.6 SQL injection in S/4HANA Enterprise Search that lets authenticated
Trending
Daily Briefing Newsletter
Subscribe to the Daily Security Review Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.