Vulnerabilities
-
Cloudflare says emergency React2Shell patch caused brief network outage
Cloudflare said an emergency change to its Web Application Firewall to mitigate the critical React2Shell vulnerability briefly made its network unavailable, causing widespread 500 errors. The React flaw can allow unauthenticated remote code execution and researchers report active exploitation and circulating proof-of-concept exploits.
-
JPCERT/CC confirms active exploitation of command injection in Array AG gateways
JPCERT/CC says a command injection vulnerability in Array Networks AG Series gateways has been exploited since August 2025 to drop web shells; Array fixed the flaw in May and users are urged to apply ArrayOS 9.4.5.9 or disable DesktopDirect and block semicolon-containing URLs if they cannot patch immediately.
-
UK’s NCSC pilots Proactive Notifications to warn organisations of exposed devices
The UK’s National Cyber Security Centre has begun piloting Proactive Notifications, a Netcraft-delivered service that scans public internet data to warn organisations about exposed devices and recommend updates; it complements the NCSC’s Early Warning alerts but is not a replacement and has no announced end to the pilot phase.
-
Critical React Server Components flaw (React2shell) allows unauthenticated remote code execution; Next.js also affected
A critical deserialization flaw in React Server Components, tracked as CVE-2025-55182 and nicknamed React2shell, can allow unauthenticated remote code execution; related Next.js App Router releases are covered by CVE-2025-66478. Patches are available and vendors and security firms advise applying fixes and using WAFs or access restrictions.
-
Critical privilege-escalation flaw in King Addons plugin under active exploitation
A high-severity privilege-escalation vulnerability (CVE-2025-8489, CVSS 9.8) in the King Addons for Elementor WordPress plugin is being actively exploited; administrators should update to version 51.1.35, audit for suspicious admin users, and monitor for unusual activity.
-
University of Phoenix discloses data breach after Oracle E-Business Suite exploit
The University of Phoenix disclosed a data breach after attackers exploited a zero-day flaw in Oracle E-Business Suite, saying personal and financial records for students, staff and suppliers were accessed; the parent company filed an 8-K and affected individuals will be notified by mail.
-
Three critical bugs in Picklescan could let malicious PyTorch models execute code, researchers say
Researchers disclosed three high-severity vulnerabilities in Picklescan that can be abused to bypass scanning and execute arbitrary code when loading malicious PyTorch models; fixes were released in Picklescan 0.0.31 and related analysis is available from JFrog, SecDim and others.
-
Malicious Rust crate ‘evm‑units’ delivered cross‑platform payloads and targeted Web3 developers
A malicious Rust crate named evm‑units masqueraded as an Ethereum helper and delivered platform‑specific payloads to Windows, macOS and Linux machines. Published by a crates.io user called ablerust and included as a dependency of uniswap‑utils, the package fetched and executed scripts or PowerShell based on the host OS and the presence of Qihoo 360 antivirus,…
-
Calendly-themed phishing campaign spoofs top brands to hijack ad manager accounts
Security researchers found a targeted phishing campaign using fake Calendly invites and brand impersonation to steal Google Workspace and Facebook business credentials and seize advertising manager accounts for malvertising and other attacks.
-
Google issues December Android security updates, patches 107 flaws including two exploited in the wild
Google released December 2025 Android security patches that fix 107 vulnerabilities across multiple components, including two Framework flaws reported as exploited in the wild; users and manufacturers are urged to apply the 2025-12-01 or 2025-12-05 updates.
