News Updated 3 days ago
ManageEngine AD360 Account Takeover (CVE-2026-11374): Update Now
DevelopmentSecurity
Unauthenticated account takeover hits ManageEngine products integrated with AD360 (CVE-2026-11374, CVSS 9.0), via predictable SSO tickets. Update now.
2026.06.2310 views
News Updated 3 days ago
KDDI: 14.22M Emails & Passwords Possibly Leaked at @nifty, BIGLOBE
Japanese CompaniesPrivacySecurity
KDDI's ISP email system was breached, possibly exposing up to 14.22M email addresses and passwords. @nifty, BIGLOBE and more affected. Here's what to do now.
2026.06.231 views
News Updated 3 days ago
expr-eval Code Injection via toJSFunction (CVE-2026-12866, CVSS 9.8): Never Pass Untrusted Input, Move to expr-eval-fork
SecurityDevelopment
A critical code-injection flaw (CVE-2026-12866, CVSS 9.8) affects expr-eval, a JavaScript math-expression library with 800k+ weekly downloads used in AI and NLP apps. Its toJSFunction() compiles input via new Function(), so untrusted expressions run as code. Stop passing untrusted input and move to expr-eval-fork.
2026.06.235 views
News Updated 3 days ago
Unpatched Code-Execution Flaws in FastStone Image Viewer: CVE-2026-30040 / 30041 — No Fix Yet
Security
FastStone Image Viewer (8.3.0.0 and earlier), a free image viewer, has two flaws (CVE-2026-30040 / 30041) that let a crafted image take over a PC; the former triggers from automatic thumbnail generation alone. The vendor is unreachable and no patch exists, so mitigations — not processing untrusted images — are essential.
2026.06.236 views
News Updated 3 days ago
Windows BitLocker Bypassed in Minutes via WinRE: CVE-2026-45585 (YellowKey) — Apply the June Update
LinuxSecurity
A flaw (CVE-2026-45585, 'YellowKey') abuses the Windows recovery environment WinRE to defeat BitLocker disk encryption and the UEFI/BIOS password in minutes with physical access and one USB stick. It breaks the 'encrypted, so safe' premise for lost or stolen PCs. Microsoft fixed it in the June 2026 update — apply it now.
2026.06.239 views
News Updated 3 days ago
Two vLLM Flaws: API-Key Bypass (CVE-2026-48746, CVSS 9.1) & Dependency Confusion (CVE-2026-54232) — Update to 0.22.1
AISecurity
vLLM, the go-to engine for self-hosting LLMs, has two critical flaws. CVE-2026-48746 (CVSS 9.1) lets attackers bypass the API key and use the AI API without authentication; CVE-2026-54232 (CVSS 8.8) is a Docker-build dependency confusion that runs code as root. Updating to 0.22.1 resolves both.
2026.06.232 views
News Updated 3 days ago
Unauthenticated SSRF in Crawl4AI: CVE-2026-56266 (CVSS 8.6/9.2) — Update to 0.8.7
SecurityAI
Crawl4AI, a popular crawler for AI data collection, has a critical flaw in its Docker API server, exploitable without authentication (CVE-2026-56266). An attacker can make the server fetch cloud internal data and steal access keys. All versions before 0.8.7 are affected; 0.8.7 also fixes several flaws including a pre-auth RCE. Update now.
2026.06.235 views
News Updated 4 days ago
SQL Injection in Dell Wyse Management Suite: CVE-2026-44272 (CVSS 8.8) — Update to 2605
Global CompaniesSecurity
Dell Wyse Management Suite, used to centrally manage fleets of thin clients, has a critical flaw (CVSS 8.8, CVE-2026-44272). A low-privileged logged-in attacker can use SQL injection to reach information and operations beyond their rights, risking the management base. All versions before 2605 are affected; update to 2605 now.
2026.06.232 views
News Updated 4 days ago
Ubuntu's AD Tool ADSys Trusts Forged Certificates: CVE-2026-12249 (CVSS 9.0) — Update Now
SecurityLinux
ADSys, the official tool for managing Ubuntu under Windows Active Directory, has a critical flaw (CVSS 9.0, CVE-2026-12249). Because certificate auto-enrollment ran over plain HTTP, an attacker on the network can make endpoints trust forged certificates, enabling interception and impersonation. Fixes are out for each Ubuntu release; update now.
2026.06.232 views
News Updated 4 days ago
Critical RCE in Autodesk Fusion CAD: CVE-2026-10789 (CVSS 9.6) — Update to 2703.1.20
Global CompaniesSecurity
Autodesk Fusion's desktop CAD has a critical flaw (CVSS 9.6, CVE-2026-10789). With the MCP extension enabled, simply opening a malicious web page can run attacker code on your PC, risking design-data theft and full takeover. Versions before 2703.1.20 are affected; update now.
2026.06.231 views
News Updated 3 days ago
Critical Langflow Flaw CVE-2026-10561 (CVSS 10.0): Unauthenticated RCE — Update to 1.9.4 Now
AISecurity
Langflow, the popular low-code AI agent builder, has a maximum-severity flaw (CVSS 10.0, CVE-2026-10561). If exposed to the internet, an attacker can fully take over the server with no login required. Versions 1.0.0–1.9.3 are affected; update to 1.9.4 and cut off external access now.
2026.06.233 views
News Updated 2 days ago
Four new takeover flaws in the SiYuan note app (CVE-2026-50551 et al.): update to 3.7.0
SecurityDevelopment
SiYuan, the popular open-source note app, has four new takeover flaws (CVE-2026-50551 / 54067 / 54158 / 55570) in its databases, CSS snippets, and marketplace. Three are CVSS 9.9 and one is 9.0. Shared or synced data can trigger them, and updating to 3.6.1 earlier does not cover them. Update to 3.7.0 now.
2026.06.227 views
