News
Claude Fable 5 and Mythos 5 Pulled Worldwide 3 Days After Launch
Global CompaniesAILawsuits & Regulation
Three days after launch, Anthropic disabled Claude Fable 5 and Mythos 5 worldwide to comply with a US Commerce Department export-control directive targeting foreign nationals. Users and companies in Japan are caught in the cutoff too.
2026.06.1311 views
News
XSS Flaw in the Popular HTML Sanitizer sanitize-html: Update to 2.17.4 — CVE-2026-44990
SecurityDevelopment
A vulnerability (CVE-2026-44990, CVSS 9.3) was found in sanitize-html, the go-to HTML sanitizer for preventing XSS, using the deprecated <xmp> tag to slip past sanitization. It is downloaded 7M+ times a week; the fix is updating to 2.17.4. Here is how it works and what to check.
2026.06.134 views
News
Cheap Wi-Fi Cameras and Doorbells Can Be Hijacked, No Fix Coming: CVE-2026-28742
SecurityMobilePrivacy
Cheap Wi-Fi cameras and doorbells sold on Temu and Amazon (Naxclow / V720, X3) have a flaw that lets a stranger hijack the camera with no login, and CISA has issued an advisory. Your Wi-Fi password leaks too, and there is no patch. Here is CVE-2026-28742 and what owners should do.
2026.06.138 views
News
Aqara Smart Locks and Cameras Could Be Hijacked: Cloud Flaws Including CVE-2026-50083
MobilePrivacySecurity
Researchers disclosed 10 vulnerabilities in Aqara's smart-home cloud, including CVE-2026-50083, that let an unauthenticated attacker operate smart locks and cameras. Here is the takeover chain and what owners should do.
2026.06.1338 views
News
Netty Flaws Let Attackers Reroute Your Traffic via DNS Cache Poisoning — Update to 4.1.135.Final (CVE-2026-45674)
DevelopmentSecurityInfrastructure
Netty, the networking backbone used inside countless Java servers, has three DNS flaws that let attackers reroute an app's traffic to a fake server. The main one is CVE-2026-45674 (severity 8.7). Fixed in 4.1.135.Final (4.2.15.Final on the new line). It often hides as a transitive dependency inside Elasticsearch, gRPC and more, so check with mvn dependency:tree and update.
2026.06.135 views
News
Eight Sandbox-Escape Flaws Hit vm2, Three Rated Max Severity — Patch to 3.11.4 Now (CVE-2026-47131)
DevelopmentSecurityAI
vm2, the Node.js library used to run untrusted code in a sandbox, has eight new escape flaws (three rated the maximum 10.0) that let attackers take over the host. Fixed in vm2 3.11.4 — but vm2 is discontinued, so the real fix is migrating to isolated-vm or container isolation. Run npm ls vm2 to check, and act fast if you run AI-generated code.
2026.06.133 views
News
MariaDB Hit by Top-Severity RCE in Galera Clustering — wsrep Users Should Update Now (CVE-2026-49261)
SecurityDevelopmentInfrastructure
MariaDB, a staple database, has a maximum-severity 10.0 flaw, CVE-2026-49261. It affects Galera cluster setups (multiple servers syncing data) with the wsrep_notify_cmd notification feature enabled, where a node name can be used to take over the server. Single standalone servers are not affected. Galera users must update now to the fixed releases (10.6.27 / 10.11.18 / 11.4.12 / 11.8.8 / 12.3.2).
2026.06.129 views
News
axios Flaws Let Attackers Steal Credentials via Proxy SSRF and Prototype-Pollution MITM — Update to 1.16.0 Now (CVE-2026-44492 / CVE-2026-44494)
InfrastructureDevelopmentSecurity
axios, the HTTP client used by apps worldwide, has two flaws: an SSRF that leaks cloud credentials (CVE-2026-44492) and a prototype-pollution gadget that escalates to a full man-in-the-middle (CVE-2026-44494). Fixed in 1.16.0+ (0.32.0 on the old line), latest is 1.17.0. Old versions often hide as transitive dependencies, so check with npm ls axios and update.
2026.06.123 views
News Updated 2 days ago
GitLab Patches 14 More Flaws: Self-Managed Servers Should Update to 19.1.1 (CVE-2026-10086)
SecurityDevelopmentInfrastructure
On June 24, 2026, GitLab fixed 14 more vulnerabilities at once, including a flaw that lets a developer run malicious code in another user's screen and one that leaks information from its AI feature. Companies running GitLab on their own servers should update now to the latest releases (19.1.1 / 19.0.3 / 18.11.6). GitLab.com users are already covered.
2026.06.115 views
News
Oracle PeopleSoft CVE-2026-35273 Now Actively Exploited (CISA KEV): Patch the 9.8 Flaw Now
InfrastructureSecurityGlobal Companies
Oracle has issued an emergency patch for CVE-2026-35273 (CVSS 9.8) in PeopleSoft, the HR and payroll system used by large enterprises, universities and governments. Without a login, an attacker can take over the server over the network and steal the personal data, salaries and bank accounts of all employees and students at once. It is a rare out-of-cycle response; affected PeopleTools 8.61 and 8.62 should be patched now.
2026.06.1134 views
News
Flaw in Mitsubishi Electric Home Appliances (AC, Fridge & More): Someone on Your Wi-Fi Can Knock Out Remote Control, CVE-2025-49604, Update the Firmware
Japanese CompaniesSecurityMobile
Mitsubishi Electric disclosed CVE-2025-49604 affecting a wide range of Wi-Fi-enabled home appliances — air conditioners, refrigerators, rice cookers, IH cooktops and more. A device on the same Wi-Fi sending crafted traffic can temporarily halt the appliance's Wi-Fi, blocking smartphone remote control. There is no risk of data theft or takeover, but affected models should update to the fixed firmware.
2026.06.115 views
News
Flaw in Pi-hole, the Popular Ad Blocker: Someone on Your Network Can Hijack the Admin Panel Without a Password, CVE-2026-44693, Update to v6.6.1
LinuxInfrastructureSecurity
A flaw in FTL, the core engine of Pi-hole, the ad blocker widely used in homes and offices (CVE-2026-44693, CVSS 8.8): a third party on the same network can flood it while an admin is active, steal the session ID, and hijack the admin panel without a password — enabling DNS rewrites and browsing-history access. It affects v6.0 to v6.6.0; update to v6.6.1 or later now.
2026.06.114 views
