#vulnerability
30 stories taggedvulnerability.
Oracle E-Business Suite Payments Bug Hits CVSS 9.8, Already Being Hit
CVE-2026-46817 lets unauthenticated attackers take over Oracle Payments. Exploitation is happening now.
CVE-2025-67038: Lantronix Serial-to-IP Flaw Moves From Research to Active Exploitation
A vulnerability disclosed through the BRIDGE:BREAK project is now seeing exploitation in the wild, raising fresh concerns about attacker interest in operational technology network edges.
Cordyceps Flaw Class Hands Attackers the Keys to 300+ GitHub Repos
A newly catalogued CI/CD weakness lets attackers hijack workflows at Microsoft, Google and Apache projects, researchers say.
Cisco Unified CM Bug Under Active Exploit After PoC Drops Root File-Write Chain
CVE-2026-20230 (CVSS 8.6) lets unauthenticated attackers smuggle crafted HTTP requests into Unified CM. Cisco's PSIRT confirms in-the-wild attempts following public PoC release.
FFmpeg Vulnerability 'PixelSmash' Threatens Media Applications
A critical flaw in FFmpeg's MagicYUV decoder reveals the fragility of software supply chains.
PixelSmash Bug in FFmpeg Decoder Opens RCE Path on Jellyfin
A newly disclosed flaw in FFmpeg's PixletVideo decoder enables remote code execution against Jellyfin under specific conditions, with denial-of-service fallout for Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio.
Squidbleed: A 1997 FTP Parsing Bug Is Still Leaking Cleartext HTTP in Squid Proxies
A heap over-read disclosed by Calif.io exposes other users' requests — credentials and session tokens included — to anyone permitted to send traffic through the same proxy.
FortiBleed Campaign Hits 86,644 FortiGate Boxes; CISA Pushes Customers to Lock Down
Russian-speaking operators are working through internet-exposed Fortinet appliances at scale. CISA wants admins moving now.
June Patch Tuesday Breaks OLE Automation, Leaves Word and Excel Silent on Failure
A Windows update shipped June 9 quietly severed the OLE bridge between Office apps and dozens of third-party tools. No error message. Just nothing.
CISA Flags Joomla Content Editor Bug as Actively Exploited; CVSS 10.0
CVE-2026-48907 in Widget Factory's JCE extension hands attackers arbitrary file actions on unpatched Joomla sites. Federal agencies get the standard three weeks.
Cisco's SD-WAN Manager Has a Write-to-Root Problem — and Attackers Found It First
CVE-2026-20262 lets an authenticated attacker overwrite arbitrary files on Cisco Catalyst SD-WAN Manager, with a clear path to root. No workaround exists. Exploitation is already underway.
Langflow's Unauthenticated File-Write Flaw Is Being Exploited — Patch Dropped 73 Days Ago
CVE-2026-5027 lets attackers write files to arbitrary paths on exposed servers, and because Langflow ships with login disabled by default, exploitation requires exactly zero credentials.
Splunk Patches CVE-2026-20253, a 9.8-Rated Unauthenticated RCE in Enterprise
The advisory covers Splunk Enterprise builds below 10.2.4 and 10.0.7, with fixed versions now available.
Oracle Patches PeopleSoft Flaw Tied to ShinyHunters Activity, Stays Quiet on Zero-Day Status
CVE-2026-35273 has a fix. Whether attackers got there first is a question Oracle isn't answering.
ServiceNow Patches Auth Bug After Attackers Pivot Deeper Into Hosted Instances
An unauthenticated flaw let intruders escalate access inside customer tenants before ServiceNow shipped a hosted-side fix.