Vulnerabilities
-
Flowise flaw under active exploitation after critical code injection report
Threat actors are exploiting a critical Flowise code injection flaw, according to a technical analysis from VulnCheck. The issue can lead to remote code execution, and Flowise fixed it in version 3.0.6.
-
Microsoft links Medusa ransomware affiliate to rapid zero-day attacks
Microsoft said Storm-1175 has used n-day and zero-day flaws in rapid Medusa ransomware attacks, sometimes within 24 hours of initial access, and has hit healthcare, education, finance and other sectors.
-
Hackers use Next.js flaw to harvest credentials from 766 hosts, Cisco Talos says
Cisco Talos says hackers used a Next.js flaw to compromise at least 766 hosts and harvest credentials, keys and cloud secrets through an automated operation tied to UAT-10608.
-
Apple expands iOS 18.7.7 update to more iPhones and iPads after DarkSword attacks
Apple expanded iOS 18.7.7 and iPadOS 18.7.7 to more older iPhones and iPads on Wednesday to blunt DarkSword attacks, letting users install security fixes without first moving to iOS 26.
-
Anthropic employee error exposed Claude Code source code through npm package
Anthropic said an employee exposed Claude Code source code by including a source map in an npm package. The company called it a packaging error, while experts said such files can reveal logic, prompts and secrets.
-
GIGABYTE Control Center flaw could allow remote file writes on Windows systems
GIGABYTE Control Center has a critical arbitrary file-write flaw that could allow remote unauthenticated attacks on Windows systems with pairing enabled. The vendor has released version 25.12.10.01 to address the issue.
-
Claude-assisted analysis finds Vim and Emacs flaws that can run code when files open
Researchers using Claude found remote code execution flaws in Vim and GNU Emacs that can trigger when a file is opened. Vim has been patched, while the Emacs issue remains unresolved.
-
TrueConf zero-day exploited in attacks on Southeast Asian government entities
A zero-day in TrueConf client video conferencing software was exploited in attacks on Southeast Asian government entities. The flaw let a tampered update run arbitrary code, and the vendor has since patched it in Windows client 8.5.3.
-
Google Vertex AI flaw could expose cloud data, researchers say
Researchers say a Google Cloud Vertex AI flaw could let an attacker abuse AI agent permissions to reach customer data and restricted internal repositories. Google has updated guidance and urged least-privilege controls.
-
OpenAI patches ChatGPT data leak bug, researchers say
OpenAI patched a ChatGPT flaw on February 20, 2026, after researchers said a malicious prompt could leak chat messages, uploaded files and other sensitive data through a hidden DNS-based channel.
