Threats Tagged 'exploit'

A high-severity vulnerability (CVE-2026-5027) in the Langflow low-code AI development platform allows unauthenticated attackers to write files to arbitrary locations via a path traversal flaw in the 'POST /api/v2/files' endpoint. This flaw enables remote code execution (RCE) because the filename parameter is not sanitized, and Langflow's default unauthenticated auto-login allows attackers to reach the vulnerable endpoint without credentials. Exploitation attempts have been observed in the wild, with attackers dropping test files on victim systems. Approximately 7,000 Langflow instances are internet-accessible, mostly in North America. The vulnerability was publicly disclosed in March 2026, and no patch or official fix information is provided in the source content.

Anthropic's Claude Mythos Preview AI model can automatically generate working exploits from publicly disclosed vulnerabilities in under an hour, significantly accelerating the timeline from vulnerability disclosure to exploit creation. This capability was demonstrated across multiple Windows and Firefox security patches, achieving a high success rate. The exploits were generated only from known, patched vulnerabilities (N-days), indicating that patched vulnerabilities are no longer inherently safe. This rapid weaponization compresses what historically took human attackers weeks or months into hours, increasing the urgency for enterprises to patch quickly. Anthropic's research highlights a shift in the threat landscape where AI-enabled exploitation is now a measurable threat vector alongside ransomware.

A security flaw in ServiceNow was exploited by unknown threat actors to gain unauthorized access to customer instances. The issue allowed unauthenticated users, under certain conditions, to access ServiceNow instances beyond intended permissions. ServiceNow applied a security update on June 5, 2026, to restrict this access to authenticated users only. The flaw affects customers on the Australia platform release or those with specific configuration changes on earlier releases. ServiceNow detected anomalous activity and notified impacted customers. The vulnerability does not yet have a CVE identifier and was initially reported internally to ServiceNow in April 2026. This is a developing situation with limited technical details publicly available.

Google released an update for Chrome 149 that patches 74 vulnerabilities, including a critical zero-day tracked as CVE-2026-11645. This vulnerability is a high-severity out-of-bounds read/write flaw in the V8 JavaScript engine, which allows remote code execution within the sandbox via a specially crafted HTML page. The zero-day was actively exploited in the wild and reported by an anonymous researcher in late April 2026. This is the fifth Chrome zero-day exploited in 2026, highlighting an ongoing trend of critical vulnerabilities in the browser. Google has awarded the researcher $55,000 for responsible disclosure. The patch fixes this and other critical vulnerabilities, mitigating the risk posed by these exploits.

OpenEMR 7.0.2 - Arbitrary File Read

WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection

Cisco has disclosed a critical, unpatched zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager that is actively exploited in the wild. The flaw allows local attackers with netadmin privileges to perform command injection attacks, leading to root privilege escalation by uploading crafted files. Exploitation requires valid credentials or prior exploitation of related vulnerabilities (CVE-2026-20182 or CVE-2026-20127). The vulnerability affects all deployment types of the product, including on-premises and cloud-managed versions. Cisco has not yet released a patch for this zero-day but advises monitoring for indicators of compromise and engaging Cisco TAC for incident response support. The vendor has released patches for related vulnerabilities but this specific flaw remains unpatched at this time.

CVE-2026-23479 is a critical use-after-free vulnerability in Redis introduced in version 7.2.0 and publicly disclosed in 2026. It allows an authenticated user to execute arbitrary OS commands via a three-stage exploit chain involving Lua scripting and memory manipulation. The vulnerability survived multiple security reviews and affects many Redis deployments, especially those without password protection. Official patches were released on May 5, 2026, across multiple Redis branches. Mitigations include immediate patching, restricting Redis exposure to the public internet, enforcing TLS, tightening ACLs, and disabling Lua scripting if unused. This vulnerability is part of a broader set of Redis RCE flaws disclosed simultaneously.

YAMCS yamcs-core 5.12.7 - LDAP Injection

YAMCS yamcs-core 5.12.7 - User Enumeration