Expert perspectives on application security, compliance, and emerging threats
IncidentCyera s security researchers disclosed six vulnerabilities in protobuf.js that turned schema validation—a process most teams assume is safe—into a remote code execution (RCE) pathway. The vulnerabilit
IncidentWhat Happened An unauthenticated remote code execution vulnerability (CVE-2026-5027) in Langflow, an open-source platform for building AI applications, remains unpatched despite active exploitation. T
IncidentOverview of the Vulnerability A critical remote code execution vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2 and Adobe Commerce allowed attackers to execute arbitrary co
IncidentWhat Happened StepSecurity researchers uncovered a malware campaign targeting Python development environments and AI-powered security tools. The malware, named Hades, compromised the C++ library ensma
Get weekly security insights and compliance updates delivered to your inbox.
IncidentWhat Happened BerriAI s LiteLLM, a proxy layer for managing multiple LLM providers, contained a command injection vulnerability ( CVE-2026-42271 ) that allowed authenticated users to execute arbitrary
IncidentA command injection vulnerability in BerryAI s LiteLLM has been added to CISA s Known Exploited Vulnerabilities catalog and is under active exploitation. CVE-2026-42271 allows attackers to execute arb
IncidentWhat Happened On June 5, 2026, ServiceNow applied an emergency security update after discovering that attackers had exploited an unauthenticated REST endpoint to query customer instance data. The vuln
IncidentWhat Happened On April 27, 2026, security researcher 303f06e3 reported a type confusion vulnerability in Chrome s V8 JavaScript engine to Google. The company confirmed active exploitation and assigned
IncidentMicrosoft s January 2025 Patch Tuesday shipped 206 CVEs—a single-month record. Before you blame Microsoft s code quality, consider this: AI-driven vulnerability scanners are finding bugs faster than h
IncidentOn a Tuesday morning, a developer ran pip install on what appeared to be a legitimate Python package. Instantly, before any of their code executed, a credential harvester was active—extracting AWS key
IncidentRecently, Microsoft temporarily removed 73 of its open-source repositories from GitHub due to an information stealer injected through compromised CI/CD pipelines. Some repositories have been restored,
IncidentOn March 29, 2022, a tweet claiming a zero-day in the Spring Framework triggered a 72-hour scramble across engineering teams worldwide. This incident became a textbook case of how not to handle vulner
IncidentWhat Happened On June 7, 2024, Gogs maintainers released version 0.14.3 to patch a critical zero-day vulnerability that allowed authenticated attackers to execute remote code on affected servers. The
IncidentWhat Happened In March 2022, security researchers disclosed CVE-2022-22965 (Spring4Shell), a remote code execution vulnerability in the Spring Framework s parameter binding mechanism. Organizations pa
IncidentWhat Happened In early 2025, security researchers at Cyera disclosed multiple vulnerabilities in protobuf.js, the JavaScript implementation of Google s Protocol Buffers serialization library. The most
IncidentBetween late 2024 and early 2025, attackers compromised 37 wheel distributions and 19 source packages on the Python Package Index (PyPI) . This campaign, known as Hades, represents a tactical evolutio
