Alerts

Alerts

Critical Code Injection Flaw in Orval Threatens JavaScript Supply Chain (CVE-2026-23947)

Developers using Orval to generate type-safe clients from OpenAPI specifications are being urged to update immediately after the discovery of a critical code injection vulnerability that threatens the JavaScript supply chain. The flaw, tracked as CVE-2026-23947, carries a CVSS score of 9.3 and allows attackers to execute arbitrary code

Alerts

Cisco Unified Communications Zero-Day Exploited in the Wild for Root Access (CVE-2026-20045)

Cisco has disclosed a critical zero-day vulnerability in its Unified Communications products that is being actively exploited in the wild, allowing unauthenticated attackers to execute arbitrary commands and gain root access on affected systems. The vulnerability, tracked as CVE-2026-20045, affects the web-based management interface of multiple Cisco UC products. Cisco&

Alerts

Google Chrome 144 Patches High-Severity V8 Race Condition (CVE-2026-1220)

Google has released a security update for Chrome addressing a high-severity vulnerability in the V8 JavaScript engine that powers the browser. The flaw, tracked as CVE-2026-1220, is a race condition in V8—the component responsible for executing JavaScript code. Race conditions occur when the timing of operations can be exploited

Alerts

Critical Zoom Flaw Allows Meeting Participants to Execute Code on Enterprise Servers (CVE-2026-22844)

Zoom has disclosed a critical command injection vulnerability affecting its enterprise hybrid meeting infrastructure that could allow a meeting participant to execute arbitrary code on backend servers. The vulnerability, tracked as CVE-2026-22844, carries a CVSS score of 9.9 and affects Zoom Node Multimedia Routers (MMRs)—the components responsible for

Alerts

Oracle January 2026 Critical Patch Update Fixes 336 Vulnerabilities Including CVSS 10.0 Fusion Middleware Flaw

Oracle has released its January 2026 Critical Patch Update (CPU), addressing 336 new security vulnerabilities across its enterprise software portfolio. Among the most severe is a maximum-severity flaw in Oracle Fusion Middleware that could allow attackers to seize complete control of affected servers without authentication. The Critical Flaw The vulnerability,

Alerts

Cloudflare WAF Zero-Day Allowed Attackers to Bypass Security Controls via ACME Challenge Path

A critical zero-day vulnerability in Cloudflare's Web Application Firewall (WAF) allowed attackers to bypass security controls and directly access protected origin servers. Security researchers at FearsOff discovered that requests targeting the /.well-known/acme-challenge/ directory could reach origin servers even when WAF rules explicitly blocked all other traffic. How

Alerts

Critical Apache bRPC Vulnerability Allows Remote Command Injection (CVE-2025-60021)

A critical remote command injection vulnerability has been discovered in Apache bRPC, with over 4,000 exposed instances identified online. Vulnerability Details CVE IDCVSS ScoreTypeAffected VersionsCVE-2025-600219.8 (Critical)Remote Command InjectionAll versions prior to 1.15.0 The flaw exists in the heap profiler's extra_options parameter. Attackers

Alerts

Critical Deno Vulnerabilities Enable Server Secrets Exposure and Windows Command Injection

Two significant security vulnerabilities have been discovered in Deno, the modern JavaScript and TypeScript runtime known for its "secure by default" architecture. The flaws could expose sensitive server secrets and allow command injection on Windows systems. Vulnerabilities CVE IDCVSS ScoreTypeImpactCVE-2026-228639.2 (Critical)Missing Cryptographic StepSecrets exposureCVE-2026-22864HighCommand InjectionArbitrary code

Alerts

ConnectWise Patches High-Severity XSS and Session Cookie Vulnerabilities in PSA Platform

ConnectWise has released a security update for its Professional Services Automation (PSA) platform, addressing two vulnerabilities that could allow stored script execution and session cookie theft. The company recommends upgrading to version 2026.1 as soon as possible. Vulnerabilities CVE IDTypeCVSS ScoreImpactCVE-2026-0695Cross-Site Scripting (XSS)8.7 (High)Stored script executionCVE-2026-0696Sensitive

Alerts

Electron Vulnerability Allows Backdooring of Signal, 1Password, Slack, and Chrome

Security researchers at Trail of Bits have discovered a critical vulnerability in Electron-based applications that allows attackers to inject persistent backdoors into Signal, 1Password, Slack, and Chrome by tampering with V8 heap snapshot files. Tracked as CVE-2025-55305, the flaw bypasses code integrity checks in nearly all applications built on the

Alerts

Cisco Zero-Day RCE in Secure Email Gateway Actively Exploited by China-Linked Threat Actor

Cisco has confirmed active exploitation of a critical zero-day vulnerability in its Secure Email Gateway and Secure Email and Web Manager appliances. Tracked as CVE-2025-20393, the flaw carries a maximum CVSS score of 10.0 and allows unauthenticated attackers to execute arbitrary commands with root privileges via crafted HTTP requests.

Alerts

Critical AWS CodeBuild Flaw Exposed AWS Console to Supply Chain Attack

Critical AWS CodeBuild Flaw Exposed AWS Console to Supply Chain Attack A critical misconfiguration in AWS CodeBuild could have allowed attackers to compromise key AWS-owned GitHub repositories, including the JavaScript SDK that powers the AWS Console itself. Security researchers at Wiz Research discovered the vulnerability, dubbed "CodeBreach," which