Vulnerabilities
-
Ajax says hacker accessed fan data and enabled ticket transfers
AFC Ajax said a hacker accessed parts of its systems and viewed email addresses for a few hundred people and personal details for fewer than 20 people with stadium bans. RTL journalists who were tipped off verified vulnerabilities that they said allowed ticket transfers and broad access to fan records; Ajax says it has patched…
-
China-linked group embeds stealthy kernel backdoors in telecom networks, Rapid7 says
Security firm Rapid7 reported that a China-linked threat cluster known as Red Menshen has embedded kernel-level implants and stealthy backdoors such as BPFDoor inside telecommunications networks to gather intelligence while evading conventional detection.
-
Researchers find flaw that could let websites inject prompts into Anthropic’s Claude Chrome extension
Researchers disclosed a flaw called ShadowPrompt in Anthropic’s Claude Chrome extension that combined an overly permissive origin allowlist and a DOM-based XSS in an Arkose Labs CAPTCHA, allowing websites to inject prompts; Anthropic and Arkose issued fixes in December 2025 and February 2026.
-
Kaspersky links Coruna iOS exploit framework to Operation Triangulation, finds expanded targets
Kaspersky researchers say the Coruna exploit framework is an updated successor to the Operation Triangulation toolkit, adding support for A17 and M3 chips and iOS up to 17.2, and that its components include multiple exploit chains used in both espionage and financially motivated attacks.
-
VoidStealer uses debugger trick to extract Chrome master key, researchers say
VoidStealer, a malware-as-a-service, uses a debugger-based method that leverages hardware breakpoints to extract Chrome’s v20_master_key from memory, researchers at Gen Digital reported.
-
CanisterWorm self propagates in npm after Trivy supply chain compromise
A self propagating worm called CanisterWorm followed a Trivy supply chain compromise to infect 47 npm packages. The worm uses an ICP canister dead drop and stolen npm tokens to publish malicious package versions.
-
Oracle issues emergency fix for critical Identity Manager and Web Services Manager RCE
Oracle issued an out-of-schedule patch for CVE-2026-21992, a critical unauthenticated remote code execution flaw in Identity Manager and Web Services Manager with a CVSS score of 9.8. Customers are urged to patch immediately.
-
Critical Langflow RCE CVE-2026-33017 Exploited Within 20 Hours of Disclosure
A critical unauthenticated RCE in Langflow, CVE-2026-33017 (CVSS 9.3), was disclosed on March 17, 2026 and exploited within 20 hours. Users should apply patches, rotate secrets and restrict network access to public instances.
-
Denver crosswalk audio units broadcast anti-Trump message after default credentials used
Two crosswalk audio units on East Colfax Avenue in Denver played an anti-Trump message in March 2026. Local reporting links the access to factory-default credentials. Passwords were changed and police are investigating.
-
Apple warns older iPhones vulnerable to web-based exploit kits
Apple warned in a support document that exploit kits Coruna and DarkSword can steal data from outdated iPhones via malicious websites. Users should install listed security updates or enable Lockdown Mode if updates are not possible.
