Expert perspectives on application security, compliance, and emerging threats
IncidentWhat Happened Flowise, an open-source low-code platform for building AI chatbots and workflows, was found to have CVE-2025-59528—a critical arbitrary JavaScript code injection vulnerability. This flaw
IncidentThe Problem Your security team, using CrowdStrike , encountered a daunting challenge: 500,000 vulnerability findings flagged by the scanner. Each finding had a CVSS score demanding attention. Patching
IncidentWhat Happened A remote code execution vulnerability in Marimo, an open-source Python notebook platform, was exploited within 10 hours of public disclosure. The flaw, tracked as CVE-2026-39987, affects
LegalArticle 5 of the EU AI Act went into enforcement in February 2025, and compliance teams are scrambling. The issue isn t that the prohibitions are unclear—the European Commission published detailed gui
Get weekly security insights and compliance updates delivered to your inbox.
IncidentWhat Happened On a Friday in early 2025, CoreWeave disclosed CVE-2026-39987 , a critical remote code execution vulnerability in Marimo, their Python notebook platform. This flaw allowed attackers to e
StandardsYour team likely relies on the NVD scores to decide what to patch, with automation pulling CVSS data to prioritize remediation. Now, NIST is shifting its focus, having enriched nearly 42,000 CVEs in 2
IncidentIncident Overview OpenAI is rotating all of its macOS code-signing certificates and will fully revoke them on May 8, 2026, following a supply chain attack involving a malicious version of the Axios pa
IncidentWhat Happened In 2025, the National Vulnerability Database (NVD) announced it would no longer provide enrichment data—such as CVSS scores, CWE classifications, and affected product configurations—for
StandardsScope - What This Guide Covers This guide defines security responsibilities for teams deploying AI systems from third-party vendors. It addresses: Which security controls belong to your team vs. the v
StandardsYou ve seen the reports. NIST has changed the way it prioritizes software flaws in its CVE framework. The shift is clear: focus on high-impact vulnerabilities, not just volume. This isn t about abando
StandardsThe Challenge Between 2020 and 2023, CVE submissions grew 263%. Last year alone, NIST enriched almost 42,000 CVEs—a 45% year-over-year increase. Then NIST announced it would no longer analyze every vu
StandardsOver the past month, I ve encountered the same set of questions in multiple forums, all centering on Anthropic s Claude Mythos—an AI model that claims to find and weaponize vulnerabilities at an unpre
StandardsA remote code execution vulnerability in protobuf.js (GHSA-xq3m-2v4x-88gg) affecting versions 8.0.0/7.5.4 and lower allows attackers to inject malicious code through unsafe dynamic code generation. If
IncidentWhat Happened Between October 2025 and January 2026, GreyNoise captured 91,403 distinct attack sessions targeting publicly exposed LLM inference endpoints. The primary target was Ollama instances depl
IncidentOverview of the Vulnerability On March 30, security researchers at Pluto Security disclosed CVE-2026-33032 , a critical vulnerability in nginx UI, a popular web-based management tool for nginx servers
IncidentTwo recently fixed prompt injection vulnerabilities in Salesforce Agentforce and Microsoft Copilot could have allowed external attackers to leak sensitive data from enterprise systems. Here s what hap
