Vulnerabilities
-
Researchers disclose Gemini prompt injection that used calendar invites to exfiltrate meeting data
A Miggo Security technical analysis shared with The Hacker News revealed an indirect prompt injection that used Google Calendar invites to extract private meeting details from Google Gemini. The flaw was fixed after responsible disclosure.
-
Tennessee man pleads guilty after hacking Supreme Court e-filing system and leaking VA and AmeriCorps data
A Tennessee man pleaded guilty after using stolen credentials to access the Supreme Court e-filing system at least 25 times and to breach AmeriCorps and VA accounts between August and October 2023, prosecutors said.
-
XSS flaw in StealC control panel exposed sessions and millions of cookies
An XSS flaw in the StealC control panel let outsiders harvest system fingerprints, active sessions and cookies. Researchers recovered over 5,000 logs with about 390,000 passwords and more than 30 million cookies.
-
CodeBreach misconfiguration in AWS CodeBuild could have exposed aws-sdk-js-v3 GitHub repo
A CodeBuild misconfiguration could have allowed takeover of AWS-managed GitHub repositories including the AWS JavaScript SDK. The flaw, dubbed CodeBreach, was fixed in September 2025 after responsible disclosure.
-
Critical Fast Pair flaw lets attackers hijack Bluetooth headsets and eavesdrop
Researchers found a Fast Pair implementation flaw that lets attackers force-pair Bluetooth audio devices, enabling hijack, eavesdropping, and tracking of hundreds of millions of accessories. Patches from manufacturers are required to fix vulnerable devices.
-
Critical Modular DS WordPress plugin flaw exploited in the wild
A CVE-2026-23550 privilege escalation in the Modular DS WordPress plugin is being exploited in the wild. The flaw is patched in version 2.5.2. Update immediately and check for unexpected admin users or malicious changes.
-
Reprompt attack could exfiltrate Microsoft Copilot data with one click
Researchers disclosed Reprompt, a method that can use a single Copilot URL click to inject prompts and enable hidden, ongoing data exfiltration. Microsoft has addressed the issue and enterprise Copilot customers are not affected.
-
Palo Alto fixes GlobalProtect DoS flaw tracked as CVE-2026-0227
Palo Alto issued updates for a high-severity GlobalProtect denial-of-service flaw CVE-2026-0227 with CVSS 7.7 on Jan 15, 2026. A proof-of-concept exists and no workarounds are available.
-
France fines Free and Free Mobile €42 million after breach exposed 24.6 million records
CNIL imposed a collective €42 million fine on Free and Free Mobile after an October 2024 breach exposed 24,633,469 customer records including IBANs. The decision cited weak VPN authentication, ineffective detection and poor data retention controls.
-
Report finds DLL side-loading attack using GitKraken ahost.exe spreads trojans and stealers
A Trellix report says attackers exploit DLL side-loading in a utility tied to the c-ares library to deliver multiple trojans and stealers to employees in commercial and industrial sectors using invoice themed lures in several languages.
