News Updated 2 days ago
SSRF Flaw in Mastodon Lets the Server Be Abused to Reach Cloud Secrets (CVE-2026-47389) — Update Now
SecurityInfrastructure
Mastodon's server software has an SSRF flaw that lets an attacker abuse the server itself as a stepping stone to make unauthorized connections from outside. CVE-2026-47389, severity CVSS 8.6. By merely crafting DNS, an attacker can reach internal services or cloud management info (keys) and steal credentials. Versions 4.5.9 / 4.4.16 / 4.3.22 and earlier are affected; operators should update to 4.5.10 / 4.4.17 / 4.3.23.
2026.06.250 views
News Updated 2 days ago
Two File-Write Flaws in Self-Hosted Media Server Jellyfin (CVE-2026-48793 and More) — Update to v10.11.10
SecurityInfrastructure
Jellyfin, a popular tool for streaming movies and music from a home server, has two flaws letting an attacker write files to places on the server they should not. CVE-2026-48793 and CVE-2026-49247, both CVSS 8.8. No administrator privileges are needed, and shared or internet-exposed servers are most at risk. Versions before 10.11.10 are affected; update to 10.11.10.
2026.06.255 views
News Updated 2 days ago
Cache-Poisoning Takeover Flaw in Publishing Platform Ghost (CVE-2026-53943) — Update to v6.37.0
DevelopmentSecurity
Ghost, a popular tool for blogs and newsletters, has a flaw that lets an attacker poison the site's display from outside and potentially take over the operator's account. CVE-2026-53943, severity CVSS 9.6. A header sent without authentication can serve a poisoned display to other visitors, and when the public site and admin share one domain it can lead to staff takeover. Versions 4.0.0–6.36.x are affected; update to 6.37.0.
2026.06.254 views
News Updated 2 days ago
Unauthenticated Remote Takeover Flaw in Cloud Sync Tool Rclone (CVE-2026-49980) — Update to v1.74.3
SecurityInfrastructure
Rclone, a standard tool for saving and syncing files to the cloud, has a flaw abusable remotely without authentication. CVE-2026-49980, with a top-class severity of CVSS 9.8. If the remote-control daemon (rcd) is exposed to the network, a single crafted request can run arbitrary commands on the machine running Rclone. Versions 1.46.0–1.74.2 are affected; update to 1.74.3.
2026.06.257 views
News Updated 2 days ago
Four Flaws in AI Agent Terminal Warp (CVE-2026-48704 and More) — Update to the Latest Build
DevelopmentSecurity
Warp, a developer terminal with a built-in AI agent, has four vulnerabilities. CVE-2026-48704 and others, all with severity CVSS 8.6 to 8.8. Merely opening a crafted document, receiving on-screen output, or letting the AI work in a malicious repository can run programs on your computer without intent. Update to the latest build.
2026.06.253 views
News Updated 2 days ago
Unauthenticated Server Takeover Flaw in ML Feature Store Feast (CVE-2026-56121) — Update to v0.63.0
AISecurity
Feast, a data platform used in AI and machine learning, has a flaw that lets an attacker take over the server without authentication. CVE-2026-56121, with a top-class severity of CVSS 9.8. Versions before 0.63.0 are affected; a single crafted request from outside can run arbitrary code on the server running Feast. Update to 0.63.0 now.
2026.06.253 views
News Updated 2 days ago
Many Flaws in Capacitor Live-Update Service Capgo (CVE-2026-56237 and More) — Update to v12.128.2 Now
DevelopmentSecurity
Capgo, a service that updates a mobile app's contents instantly without app-store review, has been found to contain many vulnerabilities from weak authentication. CVE-2026-56237 and others; the most severe is CVSS 9.1. Attackers could take over accounts and organizations and tamper with the updates pushed to apps. Versions 12.128.1 and earlier are affected; update to 12.128.2 or later.
2026.06.241 views
News Updated 2 days ago
Admin Takeover Flaw in WordPress 'Ultimate Member' (CVE-2026-7761) — Update to v2.12.0 Now
DevelopmentSecurity
Ultimate Member, a membership-site plugin used by over 200,000 sites, has a flaw letting a Contributor-level user take over an administrator. CVE-2026-7761, severity CVSS 8.8. Versions 2.11.4 and earlier are affected; update to the latest 2.12.0. An attacker can steal the admin's password reset link and seize the entire site.
2026.06.242 views
News Updated 2 days ago
8 Takeover Flaws in GeoVision GV-I/O Box 4E (CVE-2026-12485 and more) — Update to v2.12 Now
SecurityInfrastructure
GeoVision's GV-I/O Box 4E, a device that controls alarms and electric locks alongside surveillance cameras, has 8 vulnerabilities allowing remote takeover without a password. The top severity is CVSS 10.0. Firmware 2.09 is affected; update to the fixed v2.12. Left unpatched, the device can become a stepping stone for attacks or network intrusion.
2026.06.2420 views
News Updated 2 days ago
Style Dictionary flaw CVE-2026-54639: a crafted token can poison your build — update to 5.4.4
DevelopmentSecurity
Style Dictionary, the popular tool that turns design tokens (colors, spacing) into code, has a high-severity flaw, CVE-2026-54639 (8.8). A crafted token can pollute the shared object prototype during a build, cascading to a poisoned build, outages, or worse. Versions 4.3.0 to 5.4.3 are affected. Update to 5.4.4 — and here's who actually needs to worry.
2026.06.242 views
News Updated 3 days ago
Money Forward: ~62,901 records may have leaked — personal data left on GitHub
SecurityJapanese Companies
Up to 62,901 people's personal data may have leaked at Money Forward, maker of popular budgeting and accounting software. The cause was not a software flaw but a credential leak into GitHub plus personal-data files mistakenly stored there; the production DB was safe. What leaked, why it happened, and what we can learn — tracked with follow-ups.
2026.06.241 views
News Updated 3 days ago
What Is Sakana AI's "Fugu"? The Japanese AI That Bundles Other AIs
AIJapanese CompaniesDevelopment
Japan's Sakana AI launched Fugu and Fugu Ultra, an AI that bundles and routes between multiple models. What it is, and how it differs from Claude and ChatGPT, explained for non-experts.
2026.06.233 views
