News Updated today
Critical Kestra flaws (CVE-2026-53576/49869): unauthenticated root RCE
InfrastructureDevelopmentSecurity
Critical Kestra flaws (CVE-2026-53576/49869): an unauthenticated attacker bypasses login and runs commands as root, taking over the host. The orchestration platform is used by 30,000+ orgs. Update to 1.3.24.
2026.06.272 views
News Updated today
Critical mise flaws CVE-2026-33646/55441: cd into a repo, code runs
SecurityDevelopment
Critical mise flaws (CVE-2026-33646/55441): entering a malicious repo folder or tab-completing a task runs an attacker's command on your machine. The dev-environment manager's trust check is bypassed. Update to 2026.6.4.
2026.06.270 views
News Updated yesterday
Code-execution flaw in ad server Revive Adserver (CVE-2026-50741): update to 6.0.8
SecurityDevelopment
Revive Adserver, the open-source software for self-hosting ad delivery, has a server-takeover flaw, CVE-2026-50741 (CVSS 8.8). A low-privileged login account can run arbitrary programs, and it is a recurrence that bypasses June's fix for CVE-2026-34916. It is exploitable via the type parameter and the ox.setChannelTargeting XML-RPC method. Versions up to 6.0.7 are affected; update to 6.0.8.
2026.06.262 views
News Updated yesterday
Max-Severity Flaw in Manufacturers' Design-Data Software PTC Windchill: Patch Now (CVE-2026-12569)
SecurityInfrastructure
PTC Windchill and FlexPLM, the design-data software used across automotive, electronics and other manufacturing, has a max-severity flaw allowing unauthenticated remote takeover. Germany's BSI warned admins at night, and attacks are reported underway. U.S. CISA set a June 28 deadline; apply the fix.
2026.06.264 views
News Updated yesterday
Cisco Phone System Flaw CVE-2026-20230 Now Exploited: Patch to Stop a Root Takeover
InfrastructureSecurity
Cisco Unified Communications Manager, the software many companies use to run their phone systems, has an unauthenticated flaw that is already being exploited. At worst, attackers can take over the server and seize root. U.S. CISA set a June 28 deadline; apply the fix.
2026.06.261 views
News Updated yesterday
pnpm Hit by 2 Serious Flaws Letting Malicious Code Hijack Developer Machines (CVE-2026-55698)
DevelopmentSecurity
Two high-severity flaws have been found in pnpm, the widely used JavaScript package manager. Pulling in a malicious package or repository can let an attacker take over a developer's machine and run arbitrary code. Fixes are out: update to 10.34.2+ on the 10.x line or 11.5.3+ on 11.x.
2026.06.260 views
News Updated yesterday
Toshiba/Dynabook PCs Have an Unpatchable Driver Flaw (CVE-2026-56129): Remove the Driver
Japanese CompaniesSecurity
A driver preinstalled on Toshiba and Dynabook PCs has a vulnerability that may let even a non-administrator user improperly access the PC's memory. Disclosed June 25, 2026 as CVE-2026-56129. No fix will be provided; the countermeasure is to remove the affected driver. Check the vendor's official notice for whether your model is affected.
2026.06.250 views
News Updated 2 days ago
10 Flaws in Quest NetVault Backup Allow Auth Bypass and Server Takeover: CVE-2026-9787 and More, Update to 14.0.2
InfrastructureSecurity
Quest NetVault Backup, enterprise backup software, has 10 CVSS-8.8 vulnerabilities disclosed at once — several allow bypassing authentication and taking over the server to run commands at the highest privilege. Published by Trend Micro's ZDI on June 24, 2026. Fixed in 14.0.2. Update internet-exposed management consoles first.
2026.06.251 views
News Updated 2 days ago
Reverse-Proxy Takeover Flaw in Low-Code Platform Appsmith (CVE-2026-55454) — Update to v2.1
SecurityDevelopment
Appsmith, a popular low-code platform for building internal business apps, has a flaw that lets a low-privilege user take over the server's traffic gateway (reverse proxy). CVE-2026-55454, severity CVSS 9.9. The bundled proxy's management function was open without authentication, and combined with SSRF the configuration can be replaced wholesale. Versions before 2.1 are affected; update to 2.1.
2026.06.254 views
News Updated 2 days ago
Unauthenticated Database-Theft Flaw in Network Monitor Cacti (CVE-2026-39893) — Update to v1.2.31
SecurityInfrastructure
Cacti, a standard tool for monitoring servers and networks with graphs, has a flaw that can let the database be manipulated without authentication. CVE-2026-39893, with a top-class severity of CVSS 9.8. It is SQL injection from a filtering value, abusable without a login on setups with guest viewing enabled. Versions 1.2.30 and earlier are affected; update to 1.2.31.
2026.06.252 views
News Updated 2 days ago
Three Unauthenticated Takeover Flaws in Team Chat Rocket.Chat (CVE-2026-45688 and More) — Update Now
DevelopmentSecurity
Rocket.Chat, a team chat platform used by governments and enterprises, has three flaws that can let an attacker take over another account without authentication. The most serious, CVE-2026-45688 and CVE-2026-45689, are CVSS 9.1. By injecting database symbols into the login endpoint, an attacker bypasses identity checks and can steal access and escalate to admin. Update to the latest release of your line.
2026.06.251 views
News Updated 2 days ago
Six Flaws in Self-Hosted Git Service Gogs, Unauthenticated Takeover (CVE-2026-52813 and More) — Update to v0.14.3
SecurityDevelopment
Gogs, a lightweight Git service for managing source code on your own server, has six vulnerabilities. The most serious, CVE-2026-52813, is a CVSS 10.0 that takes over the server without authentication. Others include code execution and admin-rights seizure. Versions before 0.14.3 are affected; a single update fixes them all. If you self-host Gogs, update now.
2026.06.251 views
