top of page
ALL POSTS
New Fragnesia Linux Kernel LPE Vulnerability Grants Root Access Through Page Cache Corruption
Key Findings CVE-2026-46300 (Fragnesia) is a new Linux kernel LPE vulnerability with CVSS score 7.8 that grants unprivileged attackers root access via page cache corruption The flaw exists in the XFRM ESP-in-TCP subsystem and was discovered by William Bowling of the V12 security team Unlike the related Dirty Frag vulnerability, Fragnesia requires no host-level privileges for exploitation This is the third major Linux kernel LPE discovered in two weeks, following Copy Fail and
May 143 min read
ClaudeBleed: Hackers Exploit Chrome Extension Vulnerability to Hijack Claude and Steal Data
Key Findings LayerX researchers discovered ClaudeBleed, a critical vulnerability in Claude's Chrome extension that allows any other browser extension to take full control of the AI assistant The flaw stems from improper message source verification, allowing malicious scripts to issue commands to Claude without user knowledge or consent Attackers can extract files from Google Drive, read private emails, send messages on behalf of users, and access GitHub repositories Anthropic
May 83 min read
Ivanti EPMM CVE-2026-6973 RCE Actively Exploited to Grant Admin-Level Access
Key Findings Ivanti Endpoint Manager Mobile (EPMM) vulnerability CVE-2026-6973 is under active exploitation in limited attacks, requiring administrative authentication for RCE Five additional vulnerabilities patched in EPMM range from CVSS 7.0 to 8.9, with multiple allowing unauthenticated access and privilege escalation CISA added CVE-2026-6973 to Known Exploited Vulnerabilities catalog, mandating Federal agencies patch by May 10, 2026 Palo Alto Networks PAN-OS critical buff
May 73 min read
Google Reshapes Bug Bounty Payouts: Android Rewards Surge While Chrome Bounties Decline in AI Era
Key Findings Google increased Android bug bounty rewards up to $1.5 million for zero-click Pixel exploits, while Chrome payouts dropped significantly across most categories The overhaul prioritizes high-impact vulnerabilities and those resistant to AI detection, shifting focus from quantity to quality Chrome base rewards for memory safety issues fell to $500 with multipliers, down from previous levels, with some rewards now 10 times smaller Google phased out bonuses for arbit
May 33 min read
CISA Adds Actively Exploited Linux Root Access Vulnerability to Known Exploited Vulnerabilities Catalog
Key Findings CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild The Linux kernel flaw allows unprivileged local users to gain root-level access through a 732-byte Python exploit Nine-year-old vulnerability resulted from three separate kernel changes made in 2011, 2015, and 2017 that individually seemed harmless Patches available in Linux kernel versions 6.18.22, 6.19.12, and 7.0 Federal agencies must apply fixe
May 32 min read
Copy Fail: New Linux Bug Enables Root Access via Page-Cache Corruption
Key Findings CVE-2026-31431 ("Copy Fail") allows any unprivileged local user to write 4 controlled bytes into the page cache of readable files A 732-byte Python script can modify setuid binaries in memory and escalate privileges to root The vulnerability affects all major Linux distributions (Ubuntu, RHEL, SUSE, Amazon Linux) with kernels built between 2017 and the patch date Exploits are race-free, stealthy, and can cross container boundaries due to shared page cache CVSS sc
May 13 min read
Critical Linux "Copy Fail" Vulnerability Grants Root Access Across Major Distributions
Key Findings CVE-2026-31431 (Copy Fail) is a 9-year-old Linux kernel vulnerability enabling unprivileged users to gain root access A 732-byte Python script can exploit the flaw to modify setuid binaries in memory and achieve root privileges The vulnerability affects all major Linux distributions since 2017, including Ubuntu, RHEL, Amazon Linux, SUSE, and Debian Exploitation is reliable and portable across distributions with no race conditions required The flaw exists in the a
Apr 303 min read
CVE-2026-42208: LiteLLM SQL Injection Vulnerability Exploited Within 36 Hours of Public Disclosure
Key Findings Critical SQL injection vulnerability (CVE-2026-42208, CVSS 9.3) in BerriAI's LiteLLM Python package exploited within 36 hours of public disclosure Affects versions 1.81.16 through 1.83.6; patched in version 1.83.7 released April 19, 2026 First exploitation attempt recorded April 26 at 16:17 UTC from IP 65.111.27.132 Threat actor demonstrated precise knowledge of LiteLLM database schema, targeting high-value credential tables No confirmed data theft or credential
Apr 293 min read
CISA Adds Microsoft Windows Shell and ConnectWise ScreenConnect Vulnerabilities to Known Exploited Vulnerabilities Catalog
Key Findings CISA added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog CVE-2024-1708 is a critical path traversal flaw in ConnectWise ScreenConnect (CVSS 8.4) allowing remote code execution CVE-2026-32202 is a Windows Shell spoofing vulnerability (CVSS 4.3) currently under active exploitation by multiple threat actors Federal agencies must patch both vulnerabilities by May 12, 2026 The ConnectWise flaw has been chained with a critical au
Apr 292 min read
CVE-2026-3854: Critical GitHub Remote Code Execution Vulnerability Discovered
Key Findings Critical vulnerability CVE-2026-3854 allows remote code execution on GitHub through a single git push command Affects GitHub Enterprise Cloud, GitHub Enterprise Server, and related variants Command injection flaw exploitable by any user with repository push access Vulnerability chain enables attackers to bypass sandbox protections and execute arbitrary commands as the git service user Wiz researchers discovered the flaw on March 4, 2026; GitHub patched within two
Apr 282 min read
GitHub CVE-2026-3854: Critical RCE Vulnerability Triggered by Single Git Push
Key Findings Critical command injection vulnerability (CVE-2026-3854, CVSS 8.7) allows authenticated users to achieve remote code execution via a single git push command Affects GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server across multiple versions Flaw stems from unsanitized user-supplied git push options being embedded in internal service headers without proper delimiter handling Exploitation chain allows attackers to bypass sandbox protections, redirect
Apr 283 min read
Critical CrowdStrike LogScale Vulnerability Exposes Files to Unauthorized Access
Key Findings CrowdStrike disclosed CVE-2026-40050, a critical unauthenticated path traversal vulnerability in LogScale self-hosted The flaw allows remote attackers to read arbitrary files from server filesystems without authentication Next-Gen SIEM and LogScale SaaS customers are not affected due to network-layer mitigations applied April 7, 2026 Self-hosted LogScale customers must urgently upgrade to patched versions No known active exploitation has occurred to date The vuln
Apr 272 min read
Critical Microsoft Entra Agent ID Vulnerability Allows Complete Tenant Takeover Through Privilege Escalation
Key Findings Silverfort researchers discovered a critical privilege escalation vulnerability in Microsoft Entra Agent ID that allowed tenant takeover through Service Principal hijacking The Agent ID Administrator role had overly broad permissions, enabling attackers to modify any Application Service Principal instead of just agent-related objects Attackers could inject credentials into high-privilege Service Principals and authenticate as them, gaining full tenant control Vul
Apr 262 min read
PhantomRPC: Windows RPC Privilege Escalation Vulnerability Discovered
Key Findings PhantomRPC is a novel local privilege escalation vulnerability in Windows RPC architecture affecting likely all Windows versions Vulnerability enables processes with impersonation privileges to escalate to SYSTEM level permissions Five distinct exploitation paths identified across local service, network service, and user contexts Differs fundamentally from "Potato" exploit family but remains unpatched despite responsible disclosure Architectural weakness creates
Apr 252 min read
Claude Opus Generated a Chrome Exploit for $2,283
Key Findings Claude Opus 4.6 successfully generated a functional Chrome exploit chain for $2,283 in API costs across 2.33 billion tokens The exploit targeted Discord's bundled Chrome version 138, which lagged nine major versions behind current upstream releases Exploit development required approximately 20 hours of human guidance, with the AI frequently getting stuck and requiring operator intervention Bug bounty programs like Google's v8CTF offer $5,000-$10,000 per valid exp
Apr 204 min read
ShowDoc Vulnerability From 2020 Patch Now Exploited in Active Server Takeovers
Key Findings Five-year-old ShowDoc vulnerability (CVE-2025-0520) is being actively exploited in global server attacks CVSS score of 9.4 indicates critical severity allowing remote code execution and full server takeover Unrestricted file upload flaw enables attackers to bypass authentication and deploy web shells without credentials Over 2,000 ShowDoc instances remain exposed online, primarily in China, many running unpatched versions US-based security canary confirmed active
Apr 193 min read
PHP Composer Vulnerabilities Allow Remote Code Execution Through Perforce Integration
Key Findings Two high-severity command injection vulnerabilities discovered in PHP Composer's Perforce VCS driver CVE-2026-40176 (CVSS 7.8) and CVE-2026-40261 (CVSS 8.8) allow arbitrary command execution through malicious repository configs and crafted inputs Patches released: Composer 2.9.6 (mainline) and 2.2.27 (LTS) No active exploitation detected on Packagist.org or Private Packagist as of April 10, 2026 Perforce metadata publishing temporarily disabled as precaution Back
Apr 152 min read
Adobe Releases Critical Security Patch for Actively Exploited Acrobat Reader Vulnerability CVE-2026-34621
Key Findings Adobe released emergency patches for CVE-2026-34621, a critical vulnerability in Acrobat Reader actively exploited in the wild The flaw has a CVSS score of 8.6 and allows arbitrary code execution through prototype pollution in JavaScript Evidence suggests exploitation has been occurring since at least December 2025 Security researcher Haifei Li discovered the vulnerability being used to deliver malicious JavaScript via crafted PDFs Affected versions include Acrob
Apr 122 min read
Marimo RCE Vulnerability CVE-2026-39987 Under Active Exploitation Since Disclosure
Key Findings Critical RCE vulnerability CVE-2026-39987 in Marimo (CVSS 9.3) exploited within 9 hours 41 minutes of disclosure Unauthenticated attackers can obtain full interactive shell access on exposed instances through /terminal/ws WebSocket endpoint Affects all Marimo versions up to 0.20.4; patched in version 0.23.0 Unknown threat actor built working exploit from advisory alone, with no public PoC available Attacker conducted credential theft operation and reconnaissance,
Apr 102 min read
Thousands of F5 BIG-IP APM Instances Remain Vulnerable to Active RCE Exploits
Key Findings Over 14,000 F5 BIG-IP APM instances remain exposed online with active exploitation of CVE-2025-53521 Vulnerability reclassified from denial-of-service to critical remote code execution with CVSS score of 9.8 Originally disclosed in October 2025, but severity assessment updated in March 2026 after new findings Shadowserver tracks over 17,100 total BIG-IP APM fingerprints exposed globally, concentrated in US, Europe, and Asia CISA added flaw to Known Exploited Vuln
Apr 62 min read
bottom of page
