News Updated today
Critical Kestra flaws (CVE-2026-53576/49869): unauthenticated root RCE
InfrastructureDevelopmentSecurity
Critical Kestra flaws (CVE-2026-53576/49869): an unauthenticated attacker bypasses login and runs commands as root, taking over the host. The orchestration platform is used by 30,000+ orgs. Update to 1.3.24.
2026.06.272 views
News Updated yesterday
Max-Severity Flaw in Manufacturers' Design-Data Software PTC Windchill: Patch Now (CVE-2026-12569)
SecurityInfrastructure
PTC Windchill and FlexPLM, the design-data software used across automotive, electronics and other manufacturing, has a max-severity flaw allowing unauthenticated remote takeover. Germany's BSI warned admins at night, and attacks are reported underway. U.S. CISA set a June 28 deadline; apply the fix.
2026.06.264 views
News Updated yesterday
Cisco Phone System Flaw CVE-2026-20230 Now Exploited: Patch to Stop a Root Takeover
SecurityInfrastructure
Cisco Unified Communications Manager, the software many companies use to run their phone systems, has an unauthenticated flaw that is already being exploited. At worst, attackers can take over the server and seize root. U.S. CISA set a June 28 deadline; apply the fix.
2026.06.261 views
News Updated 2 days ago
10 Flaws in Quest NetVault Backup Allow Auth Bypass and Server Takeover: CVE-2026-9787 and More, Update to 14.0.2
InfrastructureSecurity
Quest NetVault Backup, enterprise backup software, has 10 CVSS-8.8 vulnerabilities disclosed at once — several allow bypassing authentication and taking over the server to run commands at the highest privilege. Published by Trend Micro's ZDI on June 24, 2026. Fixed in 14.0.2. Update internet-exposed management consoles first.
2026.06.251 views
News Updated 2 days ago
Unauthenticated Database-Theft Flaw in Network Monitor Cacti (CVE-2026-39893) — Update to v1.2.31
SecurityInfrastructure
Cacti, a standard tool for monitoring servers and networks with graphs, has a flaw that can let the database be manipulated without authentication. CVE-2026-39893, with a top-class severity of CVSS 9.8. It is SQL injection from a filtering value, abusable without a login on setups with guest viewing enabled. Versions 1.2.30 and earlier are affected; update to 1.2.31.
2026.06.252 views
News Updated 2 days ago
SSRF Flaw in Mastodon Lets the Server Be Abused to Reach Cloud Secrets (CVE-2026-47389) — Update Now
InfrastructureSecurity
Mastodon's server software has an SSRF flaw that lets an attacker abuse the server itself as a stepping stone to make unauthorized connections from outside. CVE-2026-47389, severity CVSS 8.6. By merely crafting DNS, an attacker can reach internal services or cloud management info (keys) and steal credentials. Versions 4.5.9 / 4.4.16 / 4.3.22 and earlier are affected; operators should update to 4.5.10 / 4.4.17 / 4.3.23.
2026.06.250 views
News Updated 2 days ago
Two File-Write Flaws in Self-Hosted Media Server Jellyfin (CVE-2026-48793 and More) — Update to v10.11.10
SecurityInfrastructure
Jellyfin, a popular tool for streaming movies and music from a home server, has two flaws letting an attacker write files to places on the server they should not. CVE-2026-48793 and CVE-2026-49247, both CVSS 8.8. No administrator privileges are needed, and shared or internet-exposed servers are most at risk. Versions before 10.11.10 are affected; update to 10.11.10.
2026.06.255 views
News Updated 2 days ago
Unauthenticated Remote Takeover Flaw in Cloud Sync Tool Rclone (CVE-2026-49980) — Update to v1.74.3
SecurityInfrastructure
Rclone, a standard tool for saving and syncing files to the cloud, has a flaw abusable remotely without authentication. CVE-2026-49980, with a top-class severity of CVSS 9.8. If the remote-control daemon (rcd) is exposed to the network, a single crafted request can run arbitrary commands on the machine running Rclone. Versions 1.46.0–1.74.2 are affected; update to 1.74.3.
2026.06.257 views
News Updated 2 days ago
8 Takeover Flaws in GeoVision GV-I/O Box 4E (CVE-2026-12485 and more) — Update to v2.12 Now
SecurityInfrastructure
GeoVision's GV-I/O Box 4E, a device that controls alarms and electric locks alongside surveillance cameras, has 8 vulnerabilities allowing remote takeover without a password. The top severity is CVSS 10.0. Firmware 2.09 is affected; update to the fixed v2.12. Left unpatched, the device can become a stepping stone for attacks or network intrusion.
2026.06.2420 views
News Updated 5 days ago
Unauthenticated takeover flaw in AI crawler Crawl4AI (CVE-2026-56265): update to 0.8.7
AISecurityInfrastructure
A critical flaw lets attackers take over a server without logging in, found in Crawl4AI, the popular tool that feeds web pages into AI. Rated CVSS 9.8, the self-hosted Docker edition baked the 'master key' used to verify users into the product, so anyone can impersonate an administrator. A fix, 0.8.7, is out; if you self-host, update urgently.
2026.06.226 views
News Updated 6 days ago
Server takeover flaw in Prefect (CVE-2026-5366): update to the latest
InfrastructureDevelopmentSecurity
A critical flaw lets attackers run code and take over a server in Prefect, the popular Python tool for automating data pipelines. Rated CVSS 9.9, in shared multi-user setups anyone who can register a job may take over other users' processing too. A fix is out; if you self-host, update urgently.
2026.06.2110 views
News Updated 7 days ago
Two Critical Flaws in ProxySQL (CVE-2026-48772 / 48773): Source Spoofing and Pre-Login Memory Corruption, Upgrade to v3.0.9 Now
DevelopmentSecurityInfrastructure
ProxySQL, the widely used proxy in front of MySQL and PostgreSQL, has two critical flaws (CVSS 10.0 and 9.8). Attackers can spoof their source IP to bypass access controls, or crash the server before login. Both need no authentication. Here are the affected versions and how to upgrade to v3.0.9.
2026.06.205 views
