Intelligence · Updated daily
AI-analysed threats, vulnerabilities and campaigns. Not just what happened — what it means, who's affected, and what to do about it.
Threat actors are purchasing Google Ads to rank malicious phishing pages for ManageWP login terms, intercepting administrators searching for legitimate access. This exploits Google's ad system to deliver credential theft at scale against a platform managing thousands of WordPress deployments.
The Grav Login plugin fails to validate user-supplied `groups` and `access` fields during registration, allowing unauthenticated attackers to self-register with administrative privileges when these fields are included in the allowed registration fields configuration.
Grav CMS contains five remote code execution vulnerabilities spanning unsafe unserialize() calls without class restrictions and unescaped shell parameters in git operations. This PoC is significant because it demonstrates ecosystem-wide deserialization hygiene gaps and highlights that security controls exist in the same codebase but are inconsistently applied.
Two compounding defects in ArcadeDB allow authenticated users to bypass database and record-level authorization controls: uninitialized fileAccessMap treated as allow-all, and newly-created databases with disabled security factories. Any authenticated principal can read/write/mutate schemas across all databases on a shared server.
The FTC has banned data broker Kochava from selling precise geolocation data without explicit consumer consent, settling charges that the company monetised location information harvested from hundreds of millions of mobile devices. This represents meaningful regulatory intervention in the location data market.
A 23-year-old student in Taiwan gained unauthorised access to the TETRA communication system used by the high-speed railway network and triggered emergency brake sequences. This demonstrates direct vulnerabilities in critical infrastructure communications that lack adequate access controls.
CVE-2026-40281 demonstrates a bypass of Gotenberg v8.30.1's metadata sanitization by injecting newline characters into metadata VALUES (not keys), allowing arbitrary ExifTool pseudo-tag execution and file system manipulation. Defenders must patch immediately and audit all metadata input handling.
A logic error in the Patreon OAuth provider causes all authenticated users to map to an identical local user ID, collapsing distinct accounts into a single identity and enabling unauthorized cross-user access.
A 15-year-old was detained for allegedly stealing and selling data from France Titres (ANTS), the agency managing national identity and administrative documents. The incident demonstrates how young threat actors with technical capability can compromise high-value government systems and monetise sensitive personal data.
Instructure, operator of Canvas, has disclosed a cybersecurity incident under investigation. Given Canvas's penetration across schools and universities globally, any compromise of user data or platform integrity could affect millions of students and educators.
Microsoft is replacing Windows 11's legacy Run dialog with a modern variant featuring dark mode and claimed performance improvements. This is a user experience refresh with no direct security implications, though modernisation efforts occasionally surface adjacent hardening opportunities.
fabric-sdk-java's Channel.deSerializeChannel() deserializes untrusted byte arrays without an ObjectInputFilter, enabling remote code execution via gadget chain exploitation. This PoC demonstrates a fundamental deserialization flaw in deprecated but still-deployed SDKs.
A prototype pollution flaw in n8n's xml2js-based webhook handler allows authenticated users to corrupt JavaScript object prototypes, which can be chained with Git node SSH operations to achieve remote code execution on the host system.
A critical authentication bypass in cPanel and WHM affects all versions except the latest, allowing unauthenticated attackers to gain full control panel access. This threatens the administrative interfaces of millions of hosted websites and is likely already being exploited in the wild.
Three Ukrainian criminals were arrested after compromising 610,000 Roblox accounts and selling them for approximately $225,000. The case highlights the persistent market for stolen gaming credentials and the cross-border enforcement challenges in combating organised account theft.
Two authentication bypass vulnerabilities in Qinglong, an open-source task scheduler popular with developers, are being actively exploited to deploy cryptominers on compromised servers. The flaws allow unauthenticated remote code execution, making this a significant threat to any organisation running unpatched instances.
The Quick Page/Post Redirect WordPress plugin contained a backdoor injected five years ago that remained undetected across 70,000+ installations, allowing arbitrary code execution. This demonstrates how supply-chain compromises can persist for years within popular plugins before discovery.
Official SAP npm packages were compromised to inject credential-stealing malware, directly compromising developers' authentication tokens and local systems. This represents a high-impact supply-chain attack against enterprise development environments at scale.
LangChain Core 1.2.4 contains a Server-Side Template Injection (SSTI) vulnerability in template processing that allows unauthenticated remote code execution. This PoC demonstrates the need for immediate input validation hardening in LLM framework integrations.
LAPSUS$ threat group confirmed leaking proprietary source code and internal data stolen from Checkmarx's private GitHub repositories. The breach affects a major application security vendor and raises concerns about the security posture of tools trusted to protect enterprise software supply chains.
A 19-year-old dual US-Estonian national arrested in Finland faces federal charges for membership in Scattered Spider, a prolific collective known for social engineering and financial fraud targeting critical sectors. The arrest demonstrates law enforcement coordination across jurisdictions but does not significantly disrupt the group's operational capacity.
Vimeo disclosed unauthorised access to customer and user data following a breach at Anodot, a third-party data anomaly detection service integrated into Vimeo's infrastructure. This exposes the risk of supply-chain compromise through monitoring and analytics vendors.
A pre-authentication SQL injection in BerriAI's LiteLLM Python package (CVE-2026-42208, CVSS 9.3) is being actively exploited within 36 hours of public disclosure. The flaw enables unauthenticated attackers to access and modify sensitive data stored in LLM gateway deployments.
VECT 2.0 ransomware contains a critical implementation flaw in nonce handling that causes it to permanently destroy files above a certain size rather than encrypt them. This unintended behaviour converts the malware into a data wiper, eliminating ransom recovery options and increasing damage to victims.
The FTC reports that Americans lost over $2.1 billion to social media scams in 2025, representing a sustained and accelerating trend since 2020. This reflects a fundamental failure of platforms to implement effective fraud detection and user verification controls, creating an environment where scammers operate with minimal friction.