News Updated today
Critical Kestra flaws (CVE-2026-53576/49869): unauthenticated root RCE
InfrastructureDevelopmentSecurity
Critical Kestra flaws (CVE-2026-53576/49869): an unauthenticated attacker bypasses login and runs commands as root, taking over the host. The orchestration platform is used by 30,000+ orgs. Update to 1.3.24.
2026.06.272 views
News Updated today
Critical mise flaws CVE-2026-33646/55441: cd into a repo, code runs
SecurityDevelopment
Critical mise flaws (CVE-2026-33646/55441): entering a malicious repo folder or tab-completing a task runs an attacker's command on your machine. The dev-environment manager's trust check is bypassed. Update to 2026.6.4.
2026.06.270 views
News Updated today
Code-execution flaw in ad server Revive Adserver (CVE-2026-50741): update to 6.0.8
SecurityDevelopment
Revive Adserver, the open-source software for self-hosting ad delivery, has a server-takeover flaw, CVE-2026-50741 (CVSS 8.8). A low-privileged login account can run arbitrary programs, and it is a recurrence that bypasses June's fix for CVE-2026-34916. It is exploitable via the type parameter and the ox.setChannelTargeting XML-RPC method. Versions up to 6.0.7 are affected; update to 6.0.8.
2026.06.262 views
News Updated yesterday
pnpm Hit by 2 Serious Flaws Letting Malicious Code Hijack Developer Machines (CVE-2026-55698)
DevelopmentSecurity
Two high-severity flaws have been found in pnpm, the widely used JavaScript package manager. Pulling in a malicious package or repository can let an attacker take over a developer's machine and run arbitrary code. Fixes are out: update to 10.34.2+ on the 10.x line or 11.5.3+ on 11.x.
2026.06.260 views
News Updated 2 days ago
Reverse-Proxy Takeover Flaw in Low-Code Platform Appsmith (CVE-2026-55454) — Update to v2.1
SecurityDevelopment
Appsmith, a popular low-code platform for building internal business apps, has a flaw that lets a low-privilege user take over the server's traffic gateway (reverse proxy). CVE-2026-55454, severity CVSS 9.9. The bundled proxy's management function was open without authentication, and combined with SSRF the configuration can be replaced wholesale. Versions before 2.1 are affected; update to 2.1.
2026.06.254 views
News Updated 2 days ago
Three Unauthenticated Takeover Flaws in Team Chat Rocket.Chat (CVE-2026-45688 and More) — Update Now
DevelopmentSecurity
Rocket.Chat, a team chat platform used by governments and enterprises, has three flaws that can let an attacker take over another account without authentication. The most serious, CVE-2026-45688 and CVE-2026-45689, are CVSS 9.1. By injecting database symbols into the login endpoint, an attacker bypasses identity checks and can steal access and escalate to admin. Update to the latest release of your line.
2026.06.251 views
News Updated 2 days ago
Six Flaws in Self-Hosted Git Service Gogs, Unauthenticated Takeover (CVE-2026-52813 and More) — Update to v0.14.3
SecurityDevelopment
Gogs, a lightweight Git service for managing source code on your own server, has six vulnerabilities. The most serious, CVE-2026-52813, is a CVSS 10.0 that takes over the server without authentication. Others include code execution and admin-rights seizure. Versions before 0.14.3 are affected; a single update fixes them all. If you self-host Gogs, update now.
2026.06.251 views
News Updated 2 days ago
Cache-Poisoning Takeover Flaw in Publishing Platform Ghost (CVE-2026-53943) — Update to v6.37.0
DevelopmentSecurity
Ghost, a popular tool for blogs and newsletters, has a flaw that lets an attacker poison the site's display from outside and potentially take over the operator's account. CVE-2026-53943, severity CVSS 9.6. A header sent without authentication can serve a poisoned display to other visitors, and when the public site and admin share one domain it can lead to staff takeover. Versions 4.0.0–6.36.x are affected; update to 6.37.0.
2026.06.254 views
News Updated 2 days ago
Four Flaws in AI Agent Terminal Warp (CVE-2026-48704 and More) — Update to the Latest Build
DevelopmentSecurity
Warp, a developer terminal with a built-in AI agent, has four vulnerabilities. CVE-2026-48704 and others, all with severity CVSS 8.6 to 8.8. Merely opening a crafted document, receiving on-screen output, or letting the AI work in a malicious repository can run programs on your computer without intent. Update to the latest build.
2026.06.253 views
News Updated 2 days ago
Many Flaws in Capacitor Live-Update Service Capgo (CVE-2026-56237 and More) — Update to v12.128.2 Now
SecurityDevelopment
Capgo, a service that updates a mobile app's contents instantly without app-store review, has been found to contain many vulnerabilities from weak authentication. CVE-2026-56237 and others; the most severe is CVSS 9.1. Attackers could take over accounts and organizations and tamper with the updates pushed to apps. Versions 12.128.1 and earlier are affected; update to 12.128.2 or later.
2026.06.241 views
News Updated 2 days ago
Admin Takeover Flaw in WordPress 'Ultimate Member' (CVE-2026-7761) — Update to v2.12.0 Now
SecurityDevelopment
Ultimate Member, a membership-site plugin used by over 200,000 sites, has a flaw letting a Contributor-level user take over an administrator. CVE-2026-7761, severity CVSS 8.8. Versions 2.11.4 and earlier are affected; update to the latest 2.12.0. An attacker can steal the admin's password reset link and seize the entire site.
2026.06.242 views
News Updated 2 days ago
Style Dictionary flaw CVE-2026-54639: a crafted token can poison your build — update to 5.4.4
SecurityDevelopment
Style Dictionary, the popular tool that turns design tokens (colors, spacing) into code, has a high-severity flaw, CVE-2026-54639 (8.8). A crafted token can pollute the shared object prototype during a build, cascading to a poisoned build, outages, or worse. Versions 4.3.0 to 5.4.3 are affected. Update to 5.4.4 — and here's who actually needs to worry.
2026.06.242 views
