Intelligence · Updated daily
AI-analysed threats, vulnerabilities and campaigns. Not just what happened — what it means, who's affected, and what to do about it.
Attackers are running a malvertising campaign using Google Ads and Claude.ai shared chats to redirect users searching for Claude downloads to malware installers. The campaign exploits search engine placement and trusted service reputation to compromise macOS systems.
free5GC's NEF service exposes the nnef-pfdmanagement API without OAuth2 validation, allowing unauthenticated attackers to read sensitive PFD application data and manipulate subscriptions. This PoC confirms a deployment-wide authentication bypass in production-declared routes.
Snipe-IT versions ≤8.4.0 suffer from an authorization bypass in the file upload API endpoint that allows authenticated users with only 'view' permissions to upload arbitrary files, leading to remote code execution. Defenders must immediately patch or restrict API access.
Cybercriminals breached Canvas, a learning management system serving 9,000 educational institutions, and defaced login pages with ransom demands whilst threatening to leak records for 275 million students and faculty. The attack represents a supply-chain compromise of education infrastructure affecting operational continuity at scale.
SecurityWeek reports on three concurrent threat developments: a train system attacker's arrest, PamDOORa Linux backdoor discovery, and novel mobile malware abusing Windows Phone Link for OTP theft, alongside policy moves on patch cycle acceleration and espionage targeting drone manufacturers.
cPanel has released patches for three vulnerabilities including insufficient input validation in feature file handling and unspecified code execution issues. These affect a critical infrastructure component used by hosting providers and require immediate patching.
General Motors agreed to pay $12 million to California, marking the largest CCPA fine in over five years, for alleged privacy violations involving driver data. This settlement demonstrates regulatory willingness to impose substantial penalties on automotive manufacturers for data handling practices.
Attackers compromised the JDownloader website and replaced legitimate installers with malicious builds containing a Python-based remote access trojan, affecting both Windows and Linux users downloading from the official source.
A critical vulnerability in vm2 allows attackers to mutate host prototypes, enabling sandbox escapes. The PoC highlights the risk of untrusted code accessing and modifying core JavaScript objects.
The `module` builtin in NodeVM allows bypassing the built-in allowlist, enabling sandbox escape and remote code execution.
A critical sandbox escape vulnerability in vm2 allows attackers to execute arbitrary code directly on the host system, potentially compromising any Node.js application using vm2 for code isolation.
Threat actors are purchasing Google Ads to rank malicious phishing pages for ManageWP login terms, intercepting administrators searching for legitimate access. This exploits Google's ad system to deliver credential theft at scale against a platform managing thousands of WordPress deployments.
The Grav Login plugin fails to validate user-supplied `groups` and `access` fields during registration, allowing unauthenticated attackers to self-register with administrative privileges when these fields are included in the allowed registration fields configuration.
Grav CMS contains five remote code execution vulnerabilities spanning unsafe unserialize() calls without class restrictions and unescaped shell parameters in git operations. This PoC is significant because it demonstrates ecosystem-wide deserialization hygiene gaps and highlights that security controls exist in the same codebase but are inconsistently applied.
Two compounding defects in ArcadeDB allow authenticated users to bypass database and record-level authorization controls: uninitialized fileAccessMap treated as allow-all, and newly-created databases with disabled security factories. Any authenticated principal can read/write/mutate schemas across all databases on a shared server.
The FTC has banned data broker Kochava from selling precise geolocation data without explicit consumer consent, settling charges that the company monetised location information harvested from hundreds of millions of mobile devices. This represents meaningful regulatory intervention in the location data market.
A 23-year-old student in Taiwan gained unauthorised access to the TETRA communication system used by the high-speed railway network and triggered emergency brake sequences. This demonstrates direct vulnerabilities in critical infrastructure communications that lack adequate access controls.
CVE-2026-40281 demonstrates a bypass of Gotenberg v8.30.1's metadata sanitization by injecting newline characters into metadata VALUES (not keys), allowing arbitrary ExifTool pseudo-tag execution and file system manipulation. Defenders must patch immediately and audit all metadata input handling.
A logic error in the Patreon OAuth provider causes all authenticated users to map to an identical local user ID, collapsing distinct accounts into a single identity and enabling unauthorized cross-user access.
A 15-year-old was detained for allegedly stealing and selling data from France Titres (ANTS), the agency managing national identity and administrative documents. The incident demonstrates how young threat actors with technical capability can compromise high-value government systems and monetise sensitive personal data.
Instructure, operator of Canvas, has disclosed a cybersecurity incident under investigation. Given Canvas's penetration across schools and universities globally, any compromise of user data or platform integrity could affect millions of students and educators.
Microsoft is replacing Windows 11's legacy Run dialog with a modern variant featuring dark mode and claimed performance improvements. This is a user experience refresh with no direct security implications, though modernisation efforts occasionally surface adjacent hardening opportunities.
fabric-sdk-java's Channel.deSerializeChannel() deserializes untrusted byte arrays without an ObjectInputFilter, enabling remote code execution via gadget chain exploitation. This PoC demonstrates a fundamental deserialization flaw in deprecated but still-deployed SDKs.
A prototype pollution flaw in n8n's xml2js-based webhook handler allows authenticated users to corrupt JavaScript object prototypes, which can be chained with Git node SSH operations to achieve remote code execution on the host system.
A critical authentication bypass in cPanel and WHM affects all versions except the latest, allowing unauthenticated attackers to gain full control panel access. This threatens the administrative interfaces of millions of hosted websites and is likely already being exploited in the wild.