Hundreds of thousands of websites are potentially exposed to attacks exploiting two vulnerabilities in the Kirki and Burst Statistics WordPress plugins, Defiant warns. Kirki provides website and freeform page creation, and WordPress customizer enhancements. The plugin’s versions 6.0.0 to 6.0.6 are affected by an unauthenticated privilege escalation and account takeover bug. Tracked as CVE-2026-8206 (CVSS ..
Tag : Vulnerabilities
The US cybersecurity agency CISA on Tuesday warned of in-the-wild exploitation of a Linux kernel vulnerability that leads to container escapes. Tracked as CVE-2022-0492 (CVSS score of 7.8), the issue is described as an improper authentication vulnerability that could allow attackers to elevate their privileges and bypass the namespace isolation. The security defect was found ..
Known denial-of-service (DoS) techniques can be chained together in a new exploit that can knock major web servers offline, Calif security researchers warn. Dubbed HTTP/2 Bomb and discovered using OpenAI’s Codex, the exploit combines a compression bomb that targets HTTP/2’s header compression scheme (HPACK) with a Slowloris-style hold that prevents the server from freeing memory. ..
Two reports offer differing viewpoints. One suggests a failure of tools to provide what security teams really need. The other suggests the tools exist but are not properly managed. The industrialization of cybercrime threatens to overwhelm cyber defense. It’s a process that started before the arrival of ChatGPT, was supercharged by the age of AI, ..
Google on Monday announced its latest Android update, which includes patches for 124 vulnerabilities, including a zero-day that has been exploited in targeted attacks. The exploited vulnerability is CVE-2025-48595, which Google describes as a high-severity privilege escalation issue affecting Android’s Framework component. “There are indications that CVE-2025-48595 may be under limited, targeted exploitation,” Google said ..
A critical-severity vulnerability in multiple HP Poly Voice VoIP phone models can be exploited for remote code execution (RCE) with root privileges, allowing attackers to gain a foothold in enterprise networks, Rapid7 warns. Tracked as CVE-2026-0826 (CVSS score of 9.2), the bug is described as a stack-based buffer overflow issue in the parsing of Session ..
CISA is warning organizations that an Oracle WebLogic vulnerability patched nearly two years ago is being exploited in the wild. The security hole, tracked as CVE-2024-21182, was patched by Oracle in the Java application server with its July 2024 CPU. The software giant’s advisory shows that the flaw was discovered and reported independently by several ..
Threat actors compromised multiple high-profile Instagram accounts last week by simply asking Meta’s AI-powered account recovery assistant to hand them over. The attackers exploited a logic flaw in the AI assistant, a classic ‘confused deputy’ issue, to have their own email addresses linked to the targeted accounts and take them over. Confused deputy weaknesses have ..
Obsidian Security has released technical information and proof-of-concept (PoC) code targeting a remote code execution (RCE) vulnerability in Flowise. The issue, tracked as CVE-2026-40933 (CVSS score of 9.9), was disclosed in April along with several other security defects impacting AI ecosystems that rely on Anthropic’s MCP protocol. Flowise, a popular open source platform that provides ..
The popular open source self-hosted Git service Gogs is affected by a critical-severity zero-day vulnerability that exposes servers to remote code execution (RCE), Rapid7 reports. The critical-severity issue, assigned a CVSS score of 9.4, is an argument injection flaw that can be exploited by authenticated attackers via pull requests with malicious branch names. In a ..


