News Updated 5 days ago
Casdoor SSO Auth Bypass (CVE-2026-9090 to 9098): No Patch Yet, Here Is How to Lock It Down Now
SecurityPrivacy
If your organization self-hosts Casdoor as its SSO login server, you are affected: CERT/CC disclosed nine authentication-bypass flaws (CVE-2026-9090 to 9098, VU#780781) in v2.362.0 and earlier that let an attacker log in as any user or admin. There is still no patch as of June 22, 2026, so the fix is operational: restrict the IdPs Casdoor accepts to trusted ones and audit your accounts now.
2026.06.0136 views
News
OpenCATS flaw exposes the entire candidate database (CVE-2026-49489)
SecurityPrivacy
OpenCATS (<=0.9.7.4) has SQL injection flaw CVE-2026-49489 (CVSS 8.5): any logged-in user can dump the candidate database. A public exploit exists; no fix yet.
2026.05.3119 views
News
Palo Alto VPN Authentication Bypass CVE-2026-0257 Exploited in the Wild — Patch Now
SecurityInfrastructure
CVE-2026-0257 is an authentication bypass in Palo Alto Networks' GlobalProtect VPN (PAN-OS) that lets attackers forge cookies and connect to internal networks without valid credentials. Already exploited in the wild; CISA added it to KEV with a June 1 deadline. Affected: PAN-OS 10.2 / 11.1 / 11.2 / 12.1. Full affected-and-fixed version table and indicators of compromise inside.
2026.05.3025 views
News
Mautic Hit by Twig-Theme SSTI RCE: CVE-2026-9558, Bundled May Patch Fixes 7 CVEs
DevelopmentSecurity
CVE-2026-9558 (CVSS 9.9) in Mautic, the open-source marketing automation platform, lets authenticated users with theme-upload permission execute arbitrary code via Twig SSTI: themes were rendered without a sandbox. Fixed in 7.1.2 / 6.0.9 / 5.2.11 / 4.4.20 (ELTS), with six more CVEs (SQLi, SSRF, path traversal, authz bypass, stored XSS x2) shipped in the same May 28, 2026 release. ~18,000 live sites and a growing Japanese B2B marketing footprint backed by Acquia Japan.
2026.05.2917 views
News
ACF Extended Admin-Hijack Returns 4 Months Later: CVE-2026-8809, Fix 0.9.2.6
SecurityDevelopment
CVE-2026-8809 (CVSS 9.8) in the WordPress plugin Advanced Custom Fields: Extended (ACF Extended) lets unauthenticated attackers create administrator accounts. All ≤ 0.9.2.5 vulnerable, fixed in 0.9.2.6. 100,000+ sites affected. The second same-shape admin-hijack bug in ACFE in four months. Shipped silently — official changelog says only 'CSS tweaks'.
2026.05.296 views
News
Oracle Goes Monthly: First CSPU, 35 Patches Including CVSS 10.0 (May 2026)
Global CompaniesInfrastructureSecurity
On May 28, 2026, Oracle switched its quarterly CPU to a monthly CSPU. The first wave shipped 35 patches, including a CVSS 10.0 in Oracle REST Data Services (CVE-2026-46840), 12 for E-Business Suite, 3 for Database, and 1 for Hospitality OPERA 5. The Cl0p E-Business Suite zero-day campaign is the backdrop.
2026.05.2935 views
News
vLLM Ignores --trust-remote-code=False: Third RCE, CVE-2026-4944
SecurityDevelopmentAI
vLLM silently overrides your --trust-remote-code=False via hardcoded True in two model files (nemotron_vl.py, kimi_k25.py). Malicious HuggingFace repos can trigger RCE. Fixed in vLLM 0.18.0. The third bypass in the series.
2026.05.2917 views
News Updated 6 days ago
Zed Editor RCE Fix (CVE-2026-44461–44466): Update to 0.229.0 — Opening a Malicious Repo Runs Code on Your Machine
DevelopmentAISecurity
Opening a malicious repo in the Zed editor runs arbitrary code on your machine. CVE-2026-44466 (CVSS 8.6) plus 3 more RCEs hit versions before 0.227.1/0.229.0. The fix is 0.229.0 — update now.
2026.05.2963 views
News Updated 6 days ago
TinyMCE Stored XSS Fix (CVE-2026-47759–47762): Patch to 8.5.1 / 7.9.3 / 5.11.1 — Editors Can Hijack Admin
DevelopmentSecurity
TinyMCE ships four simultaneous stored-XSS fixes (CVE-2026-47759 through 47762, all CVSS 8.7) across data-mce-* attributes, nested SVGs, the media plugin, and mce:protected comments. Patch to 8.5.1, 7.9.3, or 5.11.1 LTS now.
2026.05.2951 views
News
Japan's 'Kokkai-Map' Goes Viral, Built Solo with Claude Haiku 4.5
DevelopmentAI
Kokkai-Map, a Japanese politician tracker built solo by construction-firm owner Shinnosuke Nakajima with Claude Haiku 4.5 and the National Diet Library API, went viral on May 27, 2026, surviving a 26-minute server outage to hit 21,000 X followers.
2026.05.2914 views
News
Unauthenticated RCE in Samba: CVE-2026-4408 Injects Commands via %u in check password script, Patch to 4.24.3 Now
InfrastructureLinuxSecurity
Samba file servers and classic domain controllers are exposed to unauthenticated RCE via CVE-2026-4408 (CVSS 9.0). The %u substitution in check password script passes the client-controlled username to the shell without escaping metacharacters, allowing arbitrary root command execution over SAMR. Fixed in Samba 4.22.10, 4.23.8, and 4.24.3.
2026.05.2824 views
News
Phishing Redirect Flaw in Jupyter Server CVE-2025-61669: Researcher Logins In The Crosshairs
SecurityAIDevelopment
CVE-2025-61669 (CVSS 6.1) lets attackers craft a Jupyter Server login URL that bounces researchers and data scientists to any external site, turning the familiar Jupyter login page into a phishing launcher. Jupyter Server 2.17.0 and earlier are affected, fixed in 2.18.0. JupyterLab and Notebook 7 inherit the flaw via their backend. Reported by Noriaki Iwasaki of Japan's Cyber Defense Institute.
2026.05.286 views
