When a CMS Bug Becomes a Command Trap

A critical Ghost CMS SQL injection flaw is being used not just for database access, but as a stepping stone into browser-based ClickFix lures.

One Chromium Bug, Many Browsers: Why a Public PoC Changes the Clock

A critical unfixed Chromium vulnerability moved into a more dangerous phase after proof-of-concept code surfaced, raising the stakes for Chrome and other Chromium-based browsers that depend on the same upstream engine.

When a Security Platform Hands Out the Keys, the Damage Starts in the Control Plane

Cisco has patched a maximum-severity flaw in Secure Workload that could let an attacker reach Site Admin privileges, turning a defensive management tool into a high-value target.

When the Shield Needs a Patch: Defender Zero-Days Put Trust at Risk

Microsoft began rolling out fixes for two Microsoft Defender flaws after they were reportedly exploited before a public patch was broadly available.

Microsoft’s Defender Patch Shows How the Guardian Can Become the Target

Exploited flaws in two Defender-related components could let an attacker climb to SYSTEM or knock protection offline, underscoring how endpoint security software can become part of the attack surface.

Rsync’s Trust Boundary Just Got Smaller: Five Flaws, One Hard Lesson

A cluster of vulnerabilities in the file-sync staple shows why exposure is shaped less by product name than by the way the service is deployed.

ChromaDB Flaw Turns an AI Backend Into a Remote Control Panel

A max-severity issue in the Python FastAPI build of ChromaDB shows how one exposed AI service can become a takeover path when authentication and request handling fail in the wrong order.

Exchange Webmail Flaw Triggers a Race to Contain Live Attacks

Microsoft has warned that a critical XSS issue in Exchange Server’s OWA interface is being exploited while defenders wait for a permanent fix.

Linux’s Quietest Failure Mode: A Local Bug That Can End in Root

Fragnesia is a reminder that the most dangerous Linux flaws are often not remote fireworks, but local kernel breaks that can hand an ordinary account the keys to the host.

Avatar Uploads, Full Trust: The Open WebUI Flaw That Turned a Profile Feature Into a Security Fault Line

A reported stored XSS issue in Open WebUI’s upload path shows how a routine profile-image workflow can become a persistent browser-side attack surface, with a claimed route to account hijacking and even deeper compromise in chained scenarios.

Three Flaws, One Admin Plane: cPanel and WHM Put Hosting Servers on Alert

A May 8 disclosure tied to cPanel, WHM, and WP Squared shows how small mistakes in hosting-control logic can create outsized risk when the vulnerable code sits close to server administration.

Edge of Danger: Microsoft’s Password Problem Exposes Enterprises to Silent Credential Theft

Microsoft Edge’s design flaw leaves user passwords vulnerable in process memory, posing a significant risk for organizations relying on the browser.

Shadow Code: How a Cursor AI Extension Flaw Left Developer Secrets Up for Grabs

A critical oversight in Cursor’s extension architecture allows malicious add-ons to silently steal API keys and session tokens-no hacking skills required.

Open Source, Open Door: Hugging Face LeRobot Exposes AI Systems to Silent Takeover

A critical flaw in the popular LeRobot ML framework lets hackers seize control-no password required.

Behind the Wiki Curtain: Notion’s Public Pages Leak Editors’ Identities

Security flaw in Notion exposes names, emails, and profile pictures of editors on public pages-no password required.

Silent Sabotage: How a “By Design” Flaw in Anthropic’s MCP Could Trigger the Next AI Supply Chain Meltdown

An overlooked vulnerability in the Model Context Protocol exposes millions to cascading AI-powered cyberattacks.

Marimo Mayhem: Zero-Day Python Notebook Hackers Strike Within Hours

A critical flaw in Marimo’s open-source Python notebook platform was weaponized less than 10 hours after disclosure, exposing sensitive credentials worldwide.

Docker’s Invisible Door: How a Security Flaw Let Attackers Slip Past Defenses

A newly uncovered bug in Docker’s authorization system left critical systems open to stealthy attacks-here’s what went wrong and what you need to know.

Silent Sabotage: How Claude Code’s Hidden Flaw Left Developers Wide Open

A critical vulnerability in Anthropic’s AI coding assistant quietly disabled security rules, putting sensitive data and systems at risk.

Cracked Wide Open: How a Simple Logic Bug Nearly Turned Open VSX into a Malware Paradise