Vulnerabilities
Curated coverage and analysis in this editorial area.
CVE-2026-20230: Public PoC for Cisco Unified CM Vulnerability Risks Remote Root Access
Cisco disclosed on June 3, 2026, that proof-of-concept code is available for CVE-2026-20230, a critical SSRF vulnerability in Unified…
Why CVSS Scores Fail the Factory Floor: A New Framework for OT Vulnerability Management
An OT security practitioner has introduced a five-step framework to evaluate the actual exploitability of vulnerabilities in manufactu…
CVE-2026-48095: 7-Zip NTFS Handler Heap Overflow
A heap overflow in 7-Zip’s NTFS handler allows for RCE via crafted files. The vulnerability involves signature-based file routing that…
Acer Wave 7: Critical Zero-Days Exposed, Patch Not Expected Until Late June
Acer confirms two vulnerabilities (CVSS 10.0 and 9.8) in its Wave 7 router, involving cleartext credential leaks and a persistent back…
Microsoft Refuses to Patch Windows Search URI Flaw Enabling NTLM Hash Theft
Huntress has disclosed an unpatched vulnerability in the Windows search: URI handler that allows attackers to steal NTLMv2 hashes via…
Kemp LoadMaster API Flaw Enables Authenticated RCE: CVSS 8.8 Vulnerability Patched
CVE-2026-3517 in Progress Software Kemp LoadMaster allows authenticated users to execute arbitrary code via command injection in the c…
CVE-2026-0826: Root RCE Vulnerability Hits HP Poly Enterprise VoIP Phones
A critical stack-based buffer overflow in HP Poly Voice's SDP parsing allows unauthenticated remote code execution with root privilege…
Tuskira Unveils Quell: AI Agent Designed to Mitigate Zero-Days Before Patches Exist
Tuskira has launched Quell, an AI agent that maps attack paths and orchestrates compensating controls to neutralize zero-day threats a…
CISA Warns of Active Exploitation for Two-Year-Old Oracle WebLogic Flaw
CISA has added CVE-2024-21182 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation of an Oracle WebLog…
BadBone: Dormant AI Backdoor Evades Six Major Security Defenses
BadBone research demonstrates that backdoors in pre-trained AI models remain invisible until customized, maintaining a 0.10% attack su…
Gitea Bug Exposed Private Container Images for Four Years
CVE-2026-27771: A critical flaw in Gitea’s container registry left approximately 31,750 instances vulnerable for nearly four years. Di…
Anthropic Grants ENISA Access to Mythos: A Strategic Shift for EU Cybersecurity
Anthropic is granting ENISA access to its Mythos model for vulnerability discovery. As the first EU entity to join Project Glasswing,…