Aggregator

A vulnerability classified as very critical has been found in Oracle Collaboration Suite 9.2.0.7. Affected is an unknown function. The manipulation leads to Remote Code Execution. This vulnerability is documented as CVE-2006-5348. The attack can be initiated remotely. Additionally, an exploit exists. It is suggested to install a patch to address this issue.

AI tools are not just creating new vulnerabilities, they are reviving old security failures, warned Jurgen Kutscher, VP of Mandiant Consulting

A vulnerability, which was classified as problematic, has been found in Python CPython up to 3.14.x. This affects an unknown function of the component Tarfile Module. This manipulation causes incorrect comparison. This vulnerability appears as CVE-2025-13462. The attack requires local access. There is no available exploit. It is advisable to upgrade the affected component.

A vulnerability was found in CPython up to 3.14.0. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to incorrect comparison. This vulnerability is documented as CVE-2025-8291. The attack can be initiated remotely. There is not any exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability, which was classified as problematic, was found in Python CPython up to 3.14.x. The affected element is the function os.path.expandvars. The manipulation results in resource consumption. This vulnerability is cataloged as CVE-2025-6075. The attack must be initiated from a local position. There is no exploit available. You should upgrade the affected component.

A vulnerability labeled as problematic has been found in Python CPython up to 3.14.x. Impacted is the function appendChild of the component xml.dom.minidom. The manipulation results in inefficient algorithmic complexity. This vulnerability was named CVE-2025-12084. The attack may be performed from remote. There is no available exploit. The affected component should be upgraded.

A vulnerability described as problematic has been identified in Python CPython up to 3.14.x. The impacted element is the function b64decode/standard_b64decode/urlsafe_b64decode. The manipulation results in incorrect type conversion. This vulnerability was named CVE-2025-12781. The attack may be performed from remote. There is no available exploit. Upgrading the affected component is recommended.

A vulnerability, which was classified as critical, has been found in Python CPython up to 3.14.x. The impacted element is an unknown function of the component SourcelessFileLoader. The manipulation leads to exposure of resource. This vulnerability is traded as CVE-2026-2297. An attack has to be approached locally. There is no exploit available. It is advisable to upgrade the affected component.

Иранские специалисты ищут бэкдоры в западных маршрутизаторах.

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2024-7399 Samsung MagicINFO 9 Server Path Traversal Vulnerability
• CVE-2024-57726 SimpleHelp Missing Authorization Vulnerability
• CVE-2024-57728 SimpleHelp Path Traversal Vulnerability
• CVE-2025-29635 D-Link DIR-823X Command Injection Vulnerability 

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. 

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

The AI Agent Authority Gap - From Ungoverned to Delegation As discussed in our previous article, AI agents are exposing a structural gap in enterprise security, but the problem is often framed too narrowly. The issue is not simply that agents are new actors. It is that agents are delegated actors. They do not emerge with independent authority. They are triggered, invoked, provisioned, or

A vulnerability labeled as critical has been found in Linux Kernel up to 7.0-rc4. The impacted element is the function nfsd4_encode_operation of the component nfsd. Executing a manipulation can lead to out-of-bounds write. This vulnerability is registered as CVE-2026-31402. The attack requires access to the local network. No exploit is available. The affected component should be upgraded.

A vulnerability identified as critical has been detected in Google Chrome. This issue affects some unknown processing of the component DevTools. The manipulation leads to use after free. This vulnerability is referenced as CVE-2026-6919. Remote exploitation of the attack is possible. No exploit is available. You should upgrade the affected component.

A vulnerability labeled as critical has been found in sqlalchemy mako up to 1.3.10. Affected by this vulnerability is the function TemplateLookup.get_template. Executing a manipulation can lead to path traversal. The identification of this vulnerability is CVE-2026-41205. The attack may be launched remotely. There is no exploit available. The affected component should be upgraded.

A vulnerability, which was classified as critical, was found in Google Chrome on Android. This affects an unknown function of the component GPU. Executing a manipulation can lead to out-of-bounds read. This vulnerability appears as CVE-2026-6920. The attack may be performed from remote. There is no available exploit. You should upgrade the affected component.

Cybersecurity researchers have discovered a set of malicious apps on the Apple App Store that impersonate popular cryptocurrency wallets in an attempt to steal recovery phrases and private keys since at least fall 2025. "Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distribute trojanized versions of legitimate wallets," Kaspersky

Security cameras are designed to keep commercial facilities safe. However, a newly disclosed critical vulnerability in Hangzhou Xiongmai Technology’s XM530 IP Cameras is putting networks at risk. Tracked under the alert code ICSA-26-113-05 and officially designated as CVE-2025-65856, this flaw allows cybercriminals to bypass authentication entirely. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued […]

The post Xiongmai IP Camera Vulnerability Let Attackers Bypass Authentication and have Remote Access appeared first on Cyber Security News.

A security vulnerability has been discovered in Python’s Windows asyncio implementation, allowing attackers to trigger out-of-bounds memory writes through a missing boundary check in network socket operations. The vulnerability, tracked as CVE-2026-3298, carries a high severity rating. It exclusively affects Windows platforms and was publicly disclosed on April 21, 2026. The flaw exists in the sock_recvfrom_into() method of Python’s asyncio.proactorEventLoop class, which is Windows’ native […]

The post Python Vulnerability Allows Out-of-Bounds Write on Windows Systems appeared first on Cyber Security News.

Microsoft says IT administrators can now uninstall the AI-powered Copilot digital assistant from enterprise devices using a new policy setting, which has become broadly available after the April 2026 Patch Tuesday. [...]

The notorious cybercriminal group ShinyHunters has claimed responsibility for a major data breach targeting Udemy, Inc. (udemy.com), one of the world’s largest online learning platforms, and has alleged the compromise of over 1.4 million records containing personally identifiable information (PII) and internal corporate data. The claim was first observed on April 24, 2026, when ShinyHunters […]

The post Udemy Data Breach – ShinyHunters Allegedly Claims Compromise of 1.4M User Records appeared first on Cyber Security News.