#vulnerability disclosure
31 stories taggedvulnerability disclosure · page 2 of 3.

RoguePlanet Zero-Day Drops as Nightmare Eclipse–Microsoft Feud Reaches New Low
A race-condition bug in Microsoft Defender can yield a SYSTEM shell on fully patched Windows 11 and 10. No patch exists. The researcher dropped it the day after June Patch Tuesday.

Anthropic's Mythos Shows AI Can Find Bugs Faster Than Humans. The Bug Bounty Model May Not Survive It.
Machine-speed vulnerability discovery is no longer theoretical. The question now is whether the bounty ecosystem — and the offensive security teams inside it — are priced and structured for a world where finding flaws is the easy part.

One-Click VS Code Flaw Exposed GitHub OAuth Tokens to Theft
A researcher-disclosed bug in Microsoft's browser-based VS Code variant let a single crafted link siphon tokens with read/write access to private repos.

FFmpeg Gets 21 New Bugs from an AI Fuzzer; Chrome 149 Ships a Record 429 Fixes
An autonomous agent dug up zero-days in the codec library that ships in everything. Google's browser shipped its largest single security release on record. Same week.

HTTP/2 Bomb: A Decade-Old Compression Trick Finally Gets a CVE
A chained HPACK attack lets small packets force runaway memory allocation on nginx, Apache, IIS, Envoy, and Cloudflare's Pingora. Patches are partial. Exposure is wide.

GitHub's Browser VSCode Handed Attackers a Skeleton Key to Your Private Repos
An unscoped OAuth token, a Jupyter notebook, and a skipped publisher trust check. That's all it took.

HTTP/2 Default Configs Leave Web Servers Open to Compression-Bomb, Slowloris Combo Attack
A chained exploit targeting HTTP/2's default settings can take servers offline in seconds — no patch issued yet for the underlying configuration exposure.

Microsoft Threatened a Bug Hunter With Legal Action. Now It's Walking That Back.
A researcher dropped unpatched zero-days with working exploits. Microsoft's first response was to reach for the lawyers. That went poorly.

Trump Signs AI Cybersecurity Order, Reviving the Pre-Release Review Provisions His Team Killed Two Weeks Ago
The new directive creates a voluntary framework for government review of frontier AI models and spins up a Treasury-led vulnerability clearinghouse — while going out of its way to say none of this is mandatory.

One Click, Full Shell: Flowise MCP Flaw Scores 9.9 CVSS
A sandboxing failure in Flowise's MCP stdio implementation lets an attacker execute arbitrary OS commands with process-level privileges — and the patches so far don't close the hole.

Microsoft and Researcher Nightmare Eclipse Trade Public Accusations Over Disclosure Gone Wrong
A researcher who published unpatched vulnerability details says Microsoft deleted his accounts and ruined his life. Microsoft says his drops put proof-of-concept code in criminals' hands. Neither is entirely wrong.

Account Takeover Flaw in Pretalx CFP Tool Let Attackers Accept Any Conference Talk
An account takeover vulnerability in the open-source call-for-papers platform Pretalx could allow an unauthenticated attacker to manipulate submission outcomes, researchers at Novee have found.

Ten Thousand Bugs, One Model: Inside Anthropic's Project Glasswing
Claude Mythos Preview has scanned more than a thousand open-source projects and surfaced thousands of critical flaws. The bottleneck has moved — and the patch queue is not moving fast enough.

Anthropic Says Project Glasswing AI Has Flagged 10,000 High-Severity Bugs in a Month
The Claude-based scanner has been pointed at widely deployed open-source code since October. Anthropic has not named the affected projects.

Twelve Hours, or Else: India's New Patch Clock Starts Ticking
CERT-In tells operators of internet-facing systems to close critical flaws within half a day, citing AI-assisted exploit chains that compress the attacker's runway to minutes.