Netcrook
28 Mayo 2026
Browser Code in the Control Room: CP Plus NVR Flaw Turns a Login Page Into Risk
A stored cross-site scripting weakness in a CP Plus recorder shows how a routine management interface can become a high-risk trust boundary for operators and defenders.
Firmware Secret Turns a Serial Gateway Into a Security Trap
A critical flaw in a serial-to-IP converter shows how one embedded credential can undermine the trust boundary around industrial edge devices.
Inside a Building Gateway Bug: How a Session Flaw Can Turn Into Control-Plane Risk
ABB’s EIBPORT advisory is a reminder that in smart buildings, a web-session weakness can matter as much as a protocol flaw when management interfaces sit too close to untrusted networks.
TP-Link Patch Alert Exposes a Familiar Weak Spot: The Edge Device Trap
A high-severity vulnerability in TP-Link products has been paired with a security update, and the real lesson is how quickly a single device flaw can become an operational problem.
Billions for the Patch: IBM and Red Hat Try to Make Open Source Safer Without Breaking Production
Project Lightwell is a bet that the hardest part of software security is not finding flaws, but fixing them in systems that cannot afford to stop.
FortiClient EMS Under Pressure as a Zero-Day Flare Turns Into Fresh Attack Chatter
Fortinet’s April hotfixes for a FortiClient EMS security defect show how quickly a management-plane bug can become an urgent fleet-risk problem.
One Notebook, One Shell, One Dangerous Shortcut into the Cloud
A marimo flaw tied to unauthenticated terminal access, followed by credential harvesting and a reported database pivot, shows how quickly a notebook compromise can turn into identity abuse.
A Patched Bug Still Burning: Why Active Exploitation Changes the Risk Picture
A notice about DAEMON Tools Lite and CVE-2026-8398 shows how a fixed vulnerability can still matter once attackers begin using it in the wild.
When Zero-Day Details Go Public, the Dispute Moves to the Platform Layer
A researcher account removal and a forceful defense of coordinated disclosure show how vulnerability handling now depends on both security process and platform governance.
IBM’s $5 Billion Open-Source Push Puts Patch Speed Under the Microscope
A large security investment is only as good as the operational plumbing behind it, and open-source risk still lives or dies on inventory, provenance, and disciplined remediation.
Gogs Zero-Day Puts Self-Hosted Git Servers in the Blast Radius
A newly reported, unpatched flaw in Gogs raises a familiar but urgent question: what happens when the server that holds code, automation, and trust becomes the target?
Roundcube’s Quiet Patch Window Exposed a Loud Webmail Risk
A pre-authentication SQL injection in a Roundcube plugin shows how a single server-side query bug can turn internet-facing webmail into a database attack surface before anyone logs in.
Check Point flaws put file reads and service stability in the crosshairs
Italy’s CSIRT flagged newly identified vulnerabilities in Check Point products, including three rated high severity, with potential impact ranging from arbitrary file reading to service disruption.
Roundcube’s Hidden Lookup Path Became the Weakest Link
A critical pre-authentication SQL injection in Roundcube’s database-backed lookup logic shows how an optional feature can widen the attack surface of a webmail platform before any login happens.
Notepad++ Patch Exposes a Quiet Windows Risk: When Settings Can Become Execution Paths
Version 8.9.6.1 closes three vulnerabilities in the Windows editor, including two that can lead to arbitrary code execution, and the case shows why configuration files deserve the same scrutiny as executable code.
When a Failed Symfony Login Turns Into a Security Boundary Test
A high-severity flaw in Symfony exposed a subtle truth: sometimes the danger is not the password check itself, but the way the framework handles failure.
Private by Design, Public by Mistake: The Gitea Registry Gap That Turned Access Control Inside Out
A critical flaw in Gitea’s container registry shows how one broken permission check can turn private build artifacts into anonymous downloads, with risk that stretches beyond a single image.
Notepad++ Patch Turns a Familiar Editor Into a Lesson on Trust Boundaries
Version 8.9.6.1 closes three security flaws, including paths that could allow code execution under specific conditions if user-editable configuration files were manipulated.
Gitea Registry Bug Puts Private Container Images in the Crosshairs
A critical flaw tied to CVE-2026-27771 could let unauthenticated attackers reach private images, turning a self-hosted registry into a sensitive data leak point.
Seven GitLab Fixes, One Sharp Warning: Access Control Still Breaks the Build Chain
GitLab has pushed security updates for CE and EE that close seven vulnerabilities, including one high-severity flaw with potential privilege and data-integrity impact.