News Updated 5 days ago
Unauthenticated takeover flaw in AI crawler Crawl4AI (CVE-2026-56265): update to 0.8.7
SecurityInfrastructureAI
A critical flaw lets attackers take over a server without logging in, found in Crawl4AI, the popular tool that feeds web pages into AI. Rated CVSS 9.8, the self-hosted Docker edition baked the 'master key' used to verify users into the product, so anyone can impersonate an administrator. A fix, 0.8.7, is out; if you self-host, update urgently.
2026.06.226 views
News Updated 6 days ago
Server takeover flaw in Prefect (CVE-2026-5366): update to the latest
InfrastructureDevelopmentSecurity
A critical flaw lets attackers run code and take over a server in Prefect, the popular Python tool for automating data pipelines. Rated CVSS 9.9, in shared multi-user setups anyone who can register a job may take over other users' processing too. A fix is out; if you self-host, update urgently.
2026.06.2110 views
News Updated 6 days ago
Four new critical flaws in AI builder Flowise — CVE-2025-71338 is a perfect-10.0 RCE with no patch
AIDevelopmentSecurity
Four new critical flaws, including a perfect 10.0, hit Flowise, the popular no-code tool for building AI apps. The worst, CVE-2025-71338, lets an attacker write arbitrary files to the server with no login via a crafted file name and take over on restart — and it has no patch yet. Two are fixed in 3.0.6; two are not. We lay out the fixes and a version-by-version quick reference.
2026.06.215 views
News Updated 7 days ago
Two Critical Flaws in ProxySQL (CVE-2026-48772 / 48773): Source Spoofing and Pre-Login Memory Corruption, Upgrade to v3.0.9 Now
InfrastructureDevelopmentSecurity
ProxySQL, the widely used proxy in front of MySQL and PostgreSQL, has two critical flaws (CVSS 10.0 and 9.8). Attackers can spoof their source IP to bypass access controls, or crash the server before login. Both need no authentication. Here are the affected versions and how to upgrade to v3.0.9.
2026.06.205 views
News Updated 7 days ago
JetBrains Hub Hit by Perfect 10.0 Flaw (CVE-2026-50242): Admin Takeover With No Password, Update Now
SecurityDevelopmentGlobal Companies
On June 19, 2026, JetBrains disclosed three critical flaws in its login-management service JetBrains Hub. The most severe, CVE-2026-50242, scores a perfect 10.0: an attacker can bypass identity checks from outside and impersonate an administrator. Fixes are already available.
2026.06.204 views
Lab Updated 4 days ago
Claude Code vs Codex: Only 1 of 17 Tries Fixed an Unseen Vulnerability
SecurityAIDevelopment
We planted brand-new vulnerabilities that the models had never seen, cut off internet access so they could not look up the answer, and asked Claude Code and Codex to fix them. Across 17 runs, only one actually closed the real hole. Knowing the file was not enough, and a green test suite did not mean the bug was gone.
2026.06.1912 views
Roundup Updated 7 days ago
ChatGPT Ads in Japan: When They Started, the Cost, the Results, and Whether They Change Answers
Japanese CompaniesGlobal CompaniesAI
In June 2026, ChatGPT ads started in Japan, targeting the free and low-cost "Go" plans (paid Plus and Pro show none), with Dentsu and CyberAgent supporting placement. This guide covers when it began in Japan, what advertisers pay, how the ads have performed, and the user question of whether ads change the answers, from both the advertiser's and user's side.
2026.06.1919 views
News
Acer, ASUS, Toshiba and More: Secure Boot Bypass Risks a Malware That Won't Wipe (JVNVU#93024090)
LinuxSecurityInfrastructure
PCs from several makers—Acer, ASUS, GIGABYTE, Toshiba and more—have a weakness that lets attackers slip past Secure Boot, the startup safety check (JVNVU#93024090). If abused, malware that survives an OS reinstall and evades antivirus can be planted deep in the machine. The attack needs admin rights or physical access; fix it with maker firmware updates and DBX updates.
2026.06.1914 views
News
mcp-pinot, the Bridge Between AI and Your Database, Lets Anyone In: CVE-2026-49257, Update to v3.1.0
SecurityDevelopmentAI
mcp-pinot, the component that connects AI assistants to an analytics database, was left reachable by anyone from the outside at its default settings. CVE-2026-49257 carries the maximum 10.0 severity. An attacker can read and write the database without authentication, risking a full takeover. No-auth holes keep surfacing in the 'MCP servers' that connect AI to external systems; affected v3.0.1 and earlier should be updated to v3.1.0 immediately.
2026.06.198 views
News
Bitnami Cassandra Images Leave a Default Password Active: CVE-2026-47846, Update Now
DevelopmentSecurityInfrastructure
A flaw in the Bitnami official container images of Apache Cassandra, the popular database that distributes large volumes of data across servers, can leave a well-known default password active. CVE-2026-47846 is rated 9.8 out of 10. Even if you set up your own administrator, an attacker can break in from the outside with the default account and read or write all data. The affected 4.0/4.1/5.0 branches should be updated to a fixed version immediately.
2026.06.194 views
News
Account Takeover Flaw in AI Agent Tool AutoGPT: CVE-2026-55237, Update to 0.6.62
AIDevelopmentSecurity
A vulnerability in AutoGPT, the well-known tool for building AI agents, can let an attacker hijack a user's account just by getting them to click a crafted link. Published June 18, 2026 as CVE-2026-55237 with a severity of 8.8 out of 10, it affects self-hosted installs. Updating to the latest version, 0.6.62, closes the hole.
2026.06.195 views
News
FFmpeg Takeover Flaw via Crafted Video Files: CVE-2026-8461, Update to 8.1.2 Now
DevelopmentSecurity
A vulnerability in FFmpeg, the video/audio conversion software used worldwide, can let an attacker take over a PC or server just by getting it to read a crafted video file. Published June 18, 2026 as CVE-2026-8461, it affects all versions before 8.1.2. Services that auto-convert user-uploaded video are especially at risk. Updating to 8.1.2 closes the hole.
2026.06.1946 views
