Topic: security vulnerability
-
Microsoft patches critical Office zero-day under active attack
Microsoft has urgently patched a critical, actively exploited Office vulnerability (CVE-2026-21509) that bypasses security features, requiring immediate updates to prevent system compromise. The flaw allows attackers to bypass OLE mitigations by tricking users into opening a malicious file, with ...
Read More » -
Microsoft fixes critical Office zero-day under active attack
Microsoft has urgently patched a critical, actively exploited zero-day vulnerability (CVE-2026-21509) in Office, which allows attackers to bypass security features by tricking users into opening malicious files. While patches are available for Office 2021, LTSC 2021/2024, and Microsoft 365, secur...
Read More » -
Critical Vulnerability in All In One SEO Plugin Impacts 3M+ WordPress Sites
A critical vulnerability in the All in One SEO plugin exposed its global AI access token to any logged-in user with Contributor-level permissions, risking unauthorized AI usage and service credit depletion. The flaw, stemming from a missing permission check on an API endpoint, is part of a trend,...
Read More » -
Critical FortiSIEM Exploit Released: CVE-2025-64155 PoC
A critical vulnerability (CVE-2025-64155) in Fortinet's FortiSIEM platform now has public exploit code, allowing unauthenticated attackers to remotely execute arbitrary code with root privileges. Fortinet has released patches, and customers are urged to immediately upgrade to fixed versions; a te...
Read More » -
Google Fast Pair Devices Vulnerable to "WhisperPair" Hack
A critical flaw named **"WhisperPair"** in Google's Fast Pair protocol allows attackers to remotely hijack compatible audio devices from up to 14 meters away, potentially turning them into surveillance tools. The vulnerability affects a wide range of popular audio devices from multiple manufactur...
Read More » -
Critical FortiSIEM Flaw Patched: Remote Code Execution Risk
A critical, unauthenticated OS command injection vulnerability (CVE-2025-64155) in Fortinet's FortiSIEM platform allows remote attackers to execute arbitrary code and take full control of systems. The flaw, found in the phMonitor service, involves a two-stage attack: unauthenticated argument inje...
Read More » -
Critical "Ni8mare" Bug Allows Hackers to Take Over n8n Servers
A critical, maximum-severity vulnerability (CVSS 10.0) in n8n allows unauthenticated remote attackers to take control of servers, posing a major risk due to the platform's widespread use and integration with sensitive enterprise systems. The flaw, named "Ni8mare," is a path traversal issue where ...
Read More » -
Patch Now: Critical MongoDB RCE Flaw Demands Immediate Action
A critical, high-severity vulnerability (CVE-2025-14847) in MongoDB allows unauthenticated attackers to remotely execute code by exploiting a flaw in the zlib compression implementation. Administrators must immediately upgrade to specific patched versions (e.g., MongoDB 8.2.3) or, as a workaround...
Read More » -
Critical WatchGuard VPN Flaw Actively Exploited
A critical, actively exploited vulnerability (CVE-2025-14733) in WatchGuard's Fireware OS allows unauthenticated remote attackers to execute arbitrary code on affected systems. The flaw impacts systems using specific IKEv2 VPN configurations, and patches are available for most supported versions,...
Read More » -
Critical JumpCloud Windows Agent Flaw Allows Local Privilege Escalation
A critical security flaw (CVE-2025-34352) in JumpCloud's Remote Assist for Windows agent allows local users to escalate privileges to SYSTEM level or cause denial-of-service attacks by exploiting insecure file handling during uninstallation. The vulnerability stems from the agent's uninstaller pe...
Read More » -
Critical Server Vulnerability Sparks Urgent Admin Response
A critical, maximum-severity vulnerability in the widely used React Server package allows attackers to easily execute arbitrary code via a single HTTP request, with public exploit code now available. The flaw's danger is amplified because React is integrated by default into many popular framework...
Read More » -
Patch Now: CISA Warns of Active Oracle Identity Manager Attack
A critical vulnerability (CVE-2025-61757) in Oracle Identity Manager is being actively exploited, allowing unauthenticated attackers to execute arbitrary code via HTTP. CISA has urgently added this flaw to its Known Exploited Vulnerabilities catalog, advising immediate patching or isolation of af...
Read More » -
US Jury System Bug Exposed Sensitive Personal Data
A security flaw in Tyler Technologies' jury management websites exposed sensitive personal information of potential jurors across multiple U.S. and Canadian states, allowing unauthorized access through brute-force attacks due to sequential identifiers and lack of rate-limiting. Exposed data inclu...
Read More » -
Pentiment, Other Games Pulled From Steam Amid Unity Security Flaw
A security flaw in Unity game engine versions from 2017.1 onward has led to the temporary removal of several popular games from Steam, affecting multiple platforms but with no current evidence of exploitation. The vulnerability, reported responsibly by a researcher, could allow unsafe file loadin...
Read More » -
Unity Uncovers Major 2017 Security Flaw in Dev Tool
Unity has identified a significant security flaw in its development platform since 2017, allowing attackers to execute unauthorized code and steal data across Android, Windows, Linux, and macOS systems. The company has released comprehensive fixes for all affected Unity Editor versions and a bina...
Read More » -
Perplexity Comet Browser Flaw Exposed Users to System Attacks
Security researchers discovered a critical vulnerability in Perplexity's Comet browser, where its MCP API allowed built-in extensions to execute commands on the user's operating system, bypassing standard browser protections. The flaw could enable attackers to take control of devices or deploy ma...
Read More » -
Microsoft Fixes Critical WSUS Flaw Under Active Attack
Microsoft has released an emergency patch for a critical, actively exploited vulnerability (CVE-2025-59287) in Windows Server Update Services, allowing unauthorized remote code execution without user interaction. The flaw is wormable and could enable attackers to take control of WSUS servers, pot...
Read More » -
Urgent WD My Cloud Flaw Enables Remote Hacks
Western Digital released an urgent firmware update (version 5.31.108) to fix a critical security flaw (CVE-2025-30247) in multiple My Cloud NAS devices, which allows remote command execution via crafted HTTP requests. The update applies to several models, but end-of-support devices like the My Cl...
Read More » -
Critical Veeam Flaws Let Hackers Execute Code on Backup Servers
Veeam has released a critical security patch for its Backup & Replication software to address a high-severity remote code execution vulnerability (CVE-2025-59470) that requires privileged account access. The update fixes two additional vulnerabilities, including one allowing remote code execution...
Read More » -
Oracle Issues Urgent Patch for Critical E-Business Suite Flaw
Oracle has released an urgent security patch for a critical vulnerability (CVE-2025-61884) in its E-Business Suite, which can be exploited remotely without authentication to access confidential information. The vulnerability, with a CVSS score of 7.5, affects EBS versions 12.2.3 to 12.2.14, and O...
Read More » -
Partiful Exposed User Locations in Uploaded Photos
Partiful has become a leading social event planning app, surpassing Facebook in popularity due to its retro designs and easy RSVP system, earning it Google's best app of 2024 award. The app faced scrutiny over data privacy, as it failed to strip location metadata from user-uploaded photos, potent...
Read More » -
Tile Trackers' Security Flaw Exposes Users to Stalking Risk
A security flaw in Tile tracking devices allows malicious actors to exploit vulnerabilities for stalking, enabling unauthorized tracking through unencrypted data broadcasts and static MAC addresses. Unlike competitors that rotate both unique IDs and MAC addresses, Tile only changes the unique ID,...
Read More » -
OnePlus SMS Vulnerability Puts Your Phone at Risk
A serious security vulnerability in OnePlus smartphones running OxygenOS 12 or newer allows apps to silently access SMS and MMS messages without user permission, posing a major privacy risk. The flaw stems from OnePlus's modifications to an Android core component and has been acknowledged by the ...
Read More » -
Fortra Issues Critical Alert for GoAnywhere MFT Vulnerability
Fortra has issued an urgent alert for a critical vulnerability (CVE-2025-10035) in GoAnywhere MFT software, allowing remote command injection due to unsafe data deserialization. The vulnerability can be exploited without user interaction, particularly affecting internet-exposed Admin Consoles, an...
Read More » -
WatchGuard Issues Critical Firewall Vulnerability Alert
WatchGuard has disclosed a critical remote code execution vulnerability (CVE-2025-9242) in its Firebox firewalls, allowing unauthenticated attackers to run arbitrary code on affected devices. The flaw impacts Fireware OS versions 11.x, 12.x, and 2025.1, specifically when IKEv2 VPN is configured, ...
Read More » Perplexity Comet Browser Prompt Injection Vulnerability Exposed
A security flaw in Perplexity's Comet AI browser allows attackers to inject malicious prompts via webpages, potentially accessing sensitive information from other open tabs. The vulnerability occurs because the AI processes webpage content without distinguishing between legitimate user instructio...
Read More »-
New TheTruthSpy Flaw Exposes Phone Spyware Victims
A critical vulnerability in TheTruthSpy spyware platform allows attackers to hijack accounts and access sensitive personal data from compromised devices without consent. TheTruthSpy has a history of security failures, including multiple data breaches and inadequate protection practices, yet conti...
Read More » -
Microsoft Issues Critical Windows Update Amid Active Attacks
Microsoft has issued an urgent security update for Windows Server to patch a critical vulnerability (CVE-2025-59287) that is actively being exploited, allowing remote code execution with system privileges. Only servers with the WSUS Server Role enabled are vulnerable, and CISA has mandated federa...
Read More » -
Microsoft Entra ID Flaw Let Attackers Hijack Company Tenants
A critical vulnerability (CVE-2025-55241) in Microsoft's Entra ID could have allowed attackers to gain full control over an organization's tenant by exploiting unsigned "actor tokens" and a weakness in the Azure AD Graph API. The flaw enabled attackers to impersonate any user, escalate privileges...
Read More » -
Urgent Patch: Critical Passwordstate Vulnerability Exposed
A critical security update is required for Passwordstate to address a high-severity vulnerability that allows attackers to bypass authentication and gain administrative control. The flaw involves a manipulated URL targeting the emergency access page, enabling unauthorized access to the administra...
Read More » -
ChatGPT Agent Aided Gmail Security Breach by Researchers
A new attack called Shadow Leak exploited AI agents to access sensitive Gmail data without triggering alerts, highlighting vulnerabilities in AI systems with data permissions. The breach used prompt injection to manipulate OpenAI's Deep Research tool into extracting confidential emails, bypassing...
Read More » -
AI Toy Chat Exposed: Kids' Data Leaked via Gmail
A popular AI-powered children's toy, Bondu, had a severe security flaw that exposed tens of thousands of children's private conversations and personal data through a simple login vulnerability in its web portal. The exposed data included highly sensitive information like full names, birth dates, ...
Read More » -
8 Million Users' Browser Extensions Harvest AI Chat Data
Several popular browser extensions with millions of installations are secretly harvesting users' complete AI chat conversations from platforms like ChatGPT and Claude, directly contradicting their stated privacy policies. Despite many carrying a "Featured" badge from Google or Microsoft, these ex...
Read More » -
Critical RCE Flaw in Western Digital My Cloud NAS (CVE-2025-30247)
Western Digital has released a critical firmware update (version 5.31.108) to fix a severe remote code execution vulnerability (CVE-2025-30247) in multiple My Cloud NAS models, urging immediate installation to prevent unauthorized access and system takeover. The vulnerability is an OS command inj...
Read More » -
AI Toy Leaked 50,000 Kids' Chats to Any Gmail User
A security investigation revealed a major privacy breach in an AI toy, exposing tens of thousands of children's private chat transcripts and personal data like names and family details to the public internet. The data was accessed without hacking through an unprotected web portal, highlighting cr...
Read More » -
AI Startup Exposed Database Leaks Massive Nude Image Trove
A major security breach at an AI startup exposed over a million images and videos, predominantly nonconsensual adult content, including digitally manipulated imagery that placed children's faces on nude bodies. The unsecured database, linked to sites like MagicEdit, was growing rapidly and highli...
Read More » -
WhatsApp Security Flaw Exposed 3.5 Billion Users
A security vulnerability in WhatsApp's contact discovery system allowed researchers to verify nearly all active accounts and access profile details for a significant portion of its 3.5 billion users. Meta addressed the flaw by October after being notified, implementing stricter rate-limiting to p...
Read More » -
Microsoft Blocks Dangerous File Previews in Windows
The October 2025 Windows update disables the File Explorer Preview Pane for files marked from the internet or accessed from untrusted network shares to enhance security. This change prevents NTLM hash leakage, a vulnerability where previewing certain files could allow attackers to intercept and m...
Read More » -
Scam Emails Spoofing Real Microsoft Addresses
A sophisticated email scam exploits a legitimate Microsoft address (no-reply-powerbi@microsoft.com) to send fake Power BI subscription invoices, tricking users into believing they've been charged $399. The campaign weaponizes Microsoft's own official guidance, as the address is genuinely used for...
Read More » -
University of Pennsylvania Discloses New Data Breach Following Oracle Hack
The University of Pennsylvania suffered a data breach after attackers exploited a zero-day flaw in Oracle's financial software, compromising personal information and linking the incident to the Clop ransomware gang's extortion campaign. While the university officially notified 1,488 affected indi...
Read More » -
Unity Q3 2025 Revenue Climbs as Unity 6 Nears 10M Downloads
Unity reported a 5% year-over-year revenue increase to $471 million, driven by growth in both its Create and Grow Solutions segments, despite a net loss of $127 million. The company highlighted strong subscription revenue in Create Solutions and the Unity Ad Network in Grow Solutions, with CEO Ma...
Read More »