BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Vulnerabilities The Hacker News
The Hacker News Jul 10, 2026 1 min read

BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA

BeyondTrust has released updates to address two critical security flaws affecting Remote Support (RS) and Privileged Remote Access (PRA) products that, if successfully exploited, could allow unauthenticated attackers to take control of susceptible devices. The vulnerabilities are listed below - CVE-2026-40138 (CVSS score: 9.2) - A pre-authentication vulnerability exists in the

CERT/CC Warns of Hidden Admin Backdoor in Tenda Router Firmware Vulnerabilities The Hacker News
The Hacker News Jul 10, 2026 1 min read

CERT/CC Warns of Hidden Admin Backdoor in Tenda Router Firmware

Several versions of firmware released by Chinese network device manufacturer Tenda have been found to embed an undocumented authentication backdoor that enables administrative access to the devices' web management interfaces, the CERT Coordination Center (CERT/CC) warned Monday. "An attacker can exploit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process

Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities Vulnerabilities The Hacker News
The Hacker News Jul 10, 2026 1 min read

Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities

A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of a new campaign. The activity involves the exploitation of now-patched, critical security flaws in the open-source email solution, such as CVE-2024-42009 (CVSS score: 9.3), to siphon credentials,

What Changes When Your Software Supply Chain Includes AI Writing Your Code? Vulnerabilities The Hacker News
The Hacker News Jul 10, 2026 1 min read

What Changes When Your Software Supply Chain Includes AI Writing Your Code?

Software supply chain security was hard enough. Then AI joined the build pipeline. For five years, "software supply chain security" meant one question: what's in your code? Which open-source packages, which versions, which transitive dependencies three layers deep that nobody chose on purpose? SolarWinds, Log4Shell, and XZ Utils all taught the same lesson: the risk lives less in the code a

Writer AI Flaw Could Let Agent Previews Leak Session Tokens Across Tenants Vulnerabilities The Hacker News
The Hacker News Jul 10, 2026 1 min read

Writer AI Flaw Could Let Agent Previews Leak Session Tokens Across Tenants

Cybersecurity researchers have disclosed details of a now-patched critical session isolation vulnerability in Writer, an enterprise generative artificial intelligence (AI) platform, that could result in cross-tenant compromise. The one-click vulnerability has been codenamed WriteOut by the Sand Security Research team. "An outsider could go from having no access to taking over any Writer AI

Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots Vulnerabilities The Hacker News
The Hacker News Jul 10, 2026 1 min read

Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots

A critical flaw in Google's Dialogflow CX could have let an attacker with edit rights on one Code Block-enabled agent compromise other Code Block-enabled agents in the same Google Cloud project. From there, they could read live conversations, steal the data users shared, and make the bots send attacker-written messages, including requests to re-enter a password. Security firm Varonis found it

CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV Vulnerabilities The Hacker News
The Hacker News Jul 10, 2026 1 min read

CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities are listed below - CVE-2026-48282 (CVSS score: 10.0) - A path traversal vulnerability in Adobe ColdFusion that could lead to arbitrary code execution in the context of the

15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros Vulnerabilities The Hacker News
The Hacker News Jul 10, 2026 1 min read

15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros

Researchers at Nebula Security have disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel flaw that lets any logged-in user take full root control of a machine that has not been patched. The vulnerable code has shipped by default in essentially every mainstream distribution since 2011. The flaw needs no special permission, no unusual settings, and no network

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS Vulnerabilities The Hacker News
The Hacker News Jul 10, 2026 1 min read

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has shipped updates to address multiple critical security flaws impacting UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS that could result in privilege escalation and arbitrary command execution. The list of vulnerabilities is as follows - CVE-2026-50746 (CVSS score: 10.0) - An improper access control vulnerability in UniFi Connect Application that an attacker

Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Vulnerabilities The Hacker News
The Hacker News Jul 10, 2026 1 min read

Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It

Ask an AI coding agent to scan open-source code for security holes, and it might run the attacker's code on your own machine instead. That is the finding in a proof-of-concept published Wednesday by the AI Now Institute, an attack it calls "Friendly Fire." It works against Anthropic's Claude Code and OpenAI's Codex when either is running in an autonomous mode that approves its own

Microsoft Patches RoguePlanet Defender Flaw That Can Grant SYSTEM Privileges Vulnerabilities The Hacker News
The Hacker News Jul 10, 2026 1 min read

Microsoft Patches RoguePlanet Defender Flaw That Can Grant SYSTEM Privileges

Microsoft has released security updates for a Defender vulnerability known as RoguePlanet, nearly a month after details of the flaw became public. The vulnerability, tracked as CVE-2026-50656 (CVSS score: 7.8), is a privilege escalation issue in the Microsoft Malware Protection Engine ("mpengine.dll"), which provides scanning, detection, and cleaning capabilities for its antivirus and

Summer of Clearinghouses Vulnerabilities The Hacker News
The Hacker News Jul 10, 2026 1 min read

Summer of Clearinghouses

Everyone seems to have announced a clearinghouse over the past few weeks. We did too. Ours is called Athena, and the main thing that sets it apart is that it was already real and running when we announced it β€” built quietly months earlier, heads down, taking findings and shipping fixes, because customers kept asking us to. We only announced it now because everyone else started announcing theirs,

npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk Vulnerabilities The Hacker News
The Hacker News Jul 10, 2026 1 min read

npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk

GitHub has officially announced the release of npm version 12 with install scripts disabled by default, along with deprecating granular access tokens (GATs) designed to bypass two-factor authentication (2FA). The Microsoft-owned subsidiary noted that the following npm install behaviors that used to run automatically before have been made opt-in - allowScripts defaults to off, meaning

Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Vulnerabilities The Hacker News
The Hacker News Jul 10, 2026 1 min read

Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets

Security firm Coinspect has disclosed a crypto wallet flaw it calls Ill Bloom, and attackers are already using it. The flaw is in how some wallet software generated its recovery phrase, the words that control the money. When that phrase is made with weak randomness, an attacker can work it out and take everything it controls. The firm has confirmed one coordinated sweep on May 27

Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers Vulnerabilities The Hacker News
The Hacker News Jul 10, 2026 1 min read

Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers

A single wrong variable on one line in XQUIC, Alibaba's QUIC and HTTP/3 library, lets any remote client crash the server with a short burst of completely legal traffic. There is no patch. FoxIO researcher SΓ©bastien FΓ©ry disclosed the flaw on July 8 and nicknamed it XRING. He says it needs no login and no malformed packets: about 260 bytes of ordinary QPACK traffic takes the server

Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws Vulnerabilities The Hacker News
The Hacker News Jul 10, 2026 1 min read

Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws

Details have emerged about three now-patched security flaws in the OpenClaw personal artificial intelligence (AI) assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host. A brief description of the high-severity vulnerabilities is as follows - GHSA-hjr6-g723-hmfm (CVSS score: 8.8) - An operating system

Laser Attack Resets Tangem Wallet Passwords on Cards That Can't Be Patched Vulnerabilities The Hacker News
The Hacker News Jul 10, 2026 1 min read

Laser Attack Resets Tangem Wallet Passwords on Cards That Can't Be Patched

Researchers at Ledger's Donjon security team have shown that a precisely timed laser pulse, aimed at the chip inside a Tangem crypto wallet card, can reset the card's password to anything the attacker picks. No old password. No backup card. Once it is reset, whoever did it controls the wallet and can move the coins out. This is not an emergency for most owners. The attack needs

Showing 10–18 of 38 articles
Prev 1 2